Security Basics mailing list archives
Re: Is SSH worth it??
From: Devdas Bhagat <dvb () users sourceforge net>
Date: Thu, 17 Oct 2002 00:21:46 +0530
On 15/10/02 14:39 -0400, Chris Santerre wrote:
You know I always wondered about this method. su - has you input a password. So If a sysadmin is on a cable modem at home, logs in as normal user w/ ssh, then does an su - and enters password, How is that any different? You are being sniffed on the cable network. Keep in mind you can now sniff SSH packets. So how could this be more secure? So wouldn't a hacker now have both the first user pass and the su - ?
Because the network traffic in a ssh connection is strongly encrypted (its Secure shell), the cracker will have to do some rather powerful decryption to get the password. There was a bug in OpenSSH that would allow the specific encrypted text to be picked off the network (timing issues, password characters were sent as sinlge bytes), but that has been fixed a long time back. Try snifing ssh encrypted traffic. Oh, and by using keys, your password never crosses the network at all. Plus, sudo is a lot more useful in such cases. You can grant relatively granular access using sudo, without having to divulge the root password. Hmmmm, given that a large part of admin requires editing of files, $sudo vim :!sh # is an easy way to get a root shell without ever using the root password. Devdas Bhagat
Current thread:
- Re: Is SSH worth it?? David Corking (Oct 15)
- <Possible follow-ups>
- RE: Is SSH worth it?? Graham, Randy (RAW) (Oct 15)
- Re: Is SSH worth it?? Johan De Meersman (Oct 15)
- Re: Is SSH worth it?? David Corking (Oct 17)
- Re: Is SSH worth it?? Johan De Meersman (Oct 18)
- Re: Is SSH worth it?? David Corking (Oct 21)
- Re: Is SSH worth it?? Richard Caley (Oct 21)
- Re: Is SSH worth it?? David Corking (Oct 17)
- Re: Is SSH worth it?? David Corking (Oct 16)
- RE: Is SSH worth it?? Chris Santerre (Oct 16)
- Re: Is SSH worth it?? Devdas Bhagat (Oct 17)
- Re: Is SSH worth it?? David Corking (Oct 17)
- Re: Is SSH worth it?? Johan De Meersman (Oct 17)
- Re: Is SSH worth it?? Chris Berry (Oct 16)
- RE: Is SSH worth it?? Mark Stunnenberg (Oct 17)
- Re: Is SSH worth it?? Johan De Meersman (Oct 17)
- RE: Is SSH worth it?? Chris Berry (Oct 17)