Date: Thu, 31 May 2001 17:54:49 -0700 From: "Crist Clark" <crist.clark@globalstar.com> To: "f.johan.beisser" <jan@caustic.org> Cc: Alex Holst <a@area51.dk>, freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <3B16E7D9.3E9B78FF@globalstar.com> References: <Pine.BSF.4.21.0105311727160.66343-100000@pogo.caustic.org>
next in thread | previous in thread | raw e-mail | index | archive | help
"f.johan.beisser" wrote: > > On Fri, 1 Jun 2001, Alex Holst wrote: > > > That should be verified often with scanssh or something similar. I was > > surprised when I read about the compromise, because it gives the impression > > that people are still using passwords (as opposed to keys with passphrases) > > for authentication in this day and age. Is that correct? If so, why is that? > > based on what i've read this morning, it wouldn't have made > all that much of a difference. aparently the compromised > version of ssh recorded passphrases, and keys. > > i don't see how else you could have avoided this problem. *sigh* You cannot 'record passphrases.' RSA authentication uses public key cryptography. The client, the person logging in, proves it knows a secret, the private key, without ever revealing it to the server who only knows the public key. The use of public key crypto allows you to log into potentially untrusted servers without revealing your secret. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B16E7D9.3E9B78FF>