Security Basics mailing list archives
RE: SSH / Witch options are secure ??
From: Adil Can <adilc () global com tr>
Date: Mon, 18 Aug 2003 09:35:03 +0300
Before answering this question it is better to identify the differences. md5 is a hash function improved version of MD4 in particular there is an attack that produces collisions using the compression function in MD5. des is the actual encryption and operates on 64-bit long data bloks using key bitstring length of 56 with enough computational power, it is possible to exhaust the entire DES keyspace in just a few days. I prefer to use MD5 instead of using DES algorithm and passwords can be longer than 8 characters as well MD5 also is not fully supported with the standart Unix this means your porgrams may not work with MD5 passwords So pls be careful You need to add "md5" to the "password" rules in the PAM config files. You can find the config files in /etc/pam.d. For example, you need to change the following lines in /etc/pam.d/passwd: password required /lib/security/pam_pwcheck.so \ nullok password required /lib/security/pam_unix.so \ nullok use_first_pass use_authtok To: password required /lib/security/pam_pwcheck.so \ nullok md5 password required /lib/security/pam_unix.so \ nullok md5 use_first_pass use_authtok You should do this on every file that is using password authentication /etc/pam.d/passwd, /etc/pam.d/sshd,/etc/pam.d/login and /etc/pam.d/rlogin. Some sample PAM config files with enabled md5 encryption can be found in the directory /usr/doc/packages/pam/md5.config/ If you use NIS, you need to replace /usr/bin/yppasswd with a link to /usr/bin/passwd: # cd /usr/bin # mv yppasswd yppasswd.old # ln -sf passwd yppasswd The password will be converted into an MD5 one after the next password change. After that you will use md5 for ssh as well. Adil Can -----Original Message----- From: MatzeGuentert () gmx de [mailto:MatzeGuentert () gmx de] Sent: Saturday, August 16, 2003 11:17 PM To: security-basics () securityfocus com Subject: AW: SSH / Witch options are secure ?? Are md5 stored passwords more secure than des ones?? Installing suse 8 from scratch enables des passwords per default. This means that I cant use md5 for ssh, doesn't it? Sincerely Matthias Guntert
-----Ursprungliche Nachricht----- Von: Chris Ess [mailto:azarin () tokimi net] Gesendet: Samstag, 16. August 2003 01:32 An: MatzeGuentert () gmx de Cc: security-basics () securityfocus com Betreff: Re: SSH / Witch options are secure ??Hello list I have just set up a suse 8.0 isdn router and want to update sshd.
Which
options do you choose via ./configure to be as secure as possible? Is the default installation secure enough? I have downloaded the
newest
release 3.6.1p2. I have red that OpenBSD with SSHD 2.9.9 - 3.3 is vulnerable with
this
options enabled. -- SSH2 support -- Challenge-response authentication enabled (reported by exploit,
sort
of) -- SKEY and/or BSDAUTH defined at compile time (reported by exploit) I now I am paranoid 8^) but this will be the only reachable service
from
outside. Any hints on this?SSH v2 is more secure than SSH v1, or so I'm told. So, if you are paranoid about security, I suggest requiring SSH v2. I also suggest requiring key-based authentication and enabling some
sort
of mechanism to deny SSH connections except from certain IPs.
However,
both of these can be set within the sshd_config To answer your initial question, I use: ./configure --with-pam --with-md5-passwords --with-tcp-wrappers This is because my machine uses PAM and MD5 passwords... And TCP
wrappers
is an all around good idea, I think. (I could be wrong.) I hope this helps. Sincerely, Chris Ess System Administrator / CDTT (Certified Duct Tape Technician)
--------------------------------------------------------------------------- ---------------------------------------------------------------------------- NOTE: This e-mail is confidential and may also be privileged; under no circumstances should you forward it, or copy or disclose its contents, to any other person without the prior consent of the sender. If you are not an intended recipient of this e-mail, please notify us immediately. Internet communications are not secure and subject to possible data corruption, either accidentally or on purpose, and may contain viruses. Furthermore e-mail is an informal and often abbreviated method of communication. For these reasons, it will normally be inappropriate to rely on any information or advice contained herein without also discussing it with the sender. (The note below is a Turkish version of the above disclaimer) NOT: Bu elektronik posta mesaji gizli olup, ayni zamanda ayricalikli olabilir; sartlar ne olursa olsun, gondericinin onceden onayini almaksizin, baskalarina iletmemeniz, icerigini kopyalamamaniz veya baskalarina aciklamamaniz gerekmektedir. Bu mesajin muhatabi degilseniz, bu durumu derhal tarafimiza bildirmenizi rica ederiz. Internet uzerinden yapilan iletisim guvenli olmayip, verilerin kasten veya tesadufen bozulmasi ve virus icermesi olasiligi vardir. Ayrica, elektronik posta, resmi olmayan ve cogunlukla kisaltilmis bir iletisim yontemidir. Dolayisiyla, burada yer alan bilgi veya tavsiyelere, gonderici ile ayrica gorusmeden guvenmeniz normal sartlar altinda uygun olmayacaktir. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- SSH / Witch options are secure ?? MatzeGuentert (Aug 15)
- Re: SSH / Witch options are secure ?? Chris Ess (Aug 16)
- AW: SSH / Witch options are secure ?? MatzeGuentert (Aug 16)
- Re: AW: SSH / Witch options are secure ?? Chris Ess (Aug 18)
- AW: SSH / Witch options are secure ?? MatzeGuentert (Aug 16)
- Re: SSH / Witch options are secure ?? Gabriel Orozco (Aug 16)
- <Possible follow-ups>
- RE: SSH / Witch options are secure ?? Adil Can (Aug 18)
- Re: SSH / Witch options are secure ?? Chris Ess (Aug 16)