Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: SSH / Witch options are secure ??

From: Adil Can <adilc () global com tr>
Date: Mon, 18 Aug 2003 09:35:03 +0300
Before answering this question it is better to identify the differences.

md5 is a hash function improved version of MD4
in particular there is an attack that produces collisions using the
compression function in MD5.
 
des is the actual encryption and operates on 64-bit long data bloks using
key bitstring length of 56
with enough computational power, it is possible to exhaust the entire DES
keyspace in just a few days.

I prefer to use MD5 instead of using DES algorithm and passwords can be
longer than 8 characters as well
MD5 also is not fully supported with the standart Unix this means your
porgrams may not work with MD5 passwords
So pls be careful


You need to add "md5" to the "password" rules in the PAM config files. You
can find the config files in /etc/pam.d. 


For example, you need to change the following lines in /etc/pam.d/passwd: 

password required /lib/security/pam_pwcheck.so \ 
                     nullok 
password required /lib/security/pam_unix.so \ 
                     nullok use_first_pass use_authtok 

To:

password required /lib/security/pam_pwcheck.so \ 
                     nullok md5 
password required /lib/security/pam_unix.so \ 
                     nullok md5 use_first_pass use_authtok 


You should do this on every file that is using password authentication

/etc/pam.d/passwd, /etc/pam.d/sshd,/etc/pam.d/login and /etc/pam.d/rlogin. 

Some sample PAM config files with enabled md5 encryption can be 
found in the directory /usr/doc/packages/pam/md5.config/ 

If you use NIS, you need to replace /usr/bin/yppasswd with a 
link to /usr/bin/passwd: 
# cd /usr/bin 
# mv yppasswd yppasswd.old 
# ln -sf passwd yppasswd 

The password will be converted into an MD5 one after the next 
password change. 

After that you will use md5 for ssh as well.

Adil Can


-----Original Message-----
From: MatzeGuentert () gmx de [mailto:MatzeGuentert () gmx de] 
Sent: Saturday, August 16, 2003 11:17 PM
To: security-basics () securityfocus com
Subject: AW: SSH / Witch options are secure ??


Are md5 stored passwords more secure than des ones??
Installing suse 8 from scratch enables des passwords per default. This means
that I cant use md5 for ssh, doesn't it?

Sincerely 

Matthias Guntert


-----Ursprungliche Nachricht-----
Von: Chris Ess [mailto:azarin () tokimi net]
Gesendet: Samstag, 16. August 2003 01:32
An: MatzeGuentert () gmx de
Cc: security-basics () securityfocus com
Betreff: Re: SSH / Witch options are secure ??


Hello list

I have just set up a suse 8.0 isdn router and want to update sshd.

Which

options do you choose via ./configure to be as secure as possible? 
Is the default installation secure enough? I have downloaded the

newest

release 3.6.1p2.

I have red that OpenBSD with SSHD 2.9.9 - 3.3 is vulnerable with

this

options enabled.

-- SSH2 support
-- Challenge-response authentication enabled (reported by exploit,

sort

of)
-- SKEY and/or BSDAUTH defined at compile time (reported by exploit)

I now I am paranoid 8^) but this will be the only reachable service

from

outside. Any hints on this?


SSH v2 is more secure than SSH v1, or so I'm told.  So, if you are 
paranoid about security, I suggest requiring SSH v2.

I also suggest requiring key-based authentication and enabling some

sort

of mechanism to deny SSH connections except from certain IPs.

However,

both of these can be set within the sshd_config

To answer your initial question, I use:
./configure --with-pam --with-md5-passwords --with-tcp-wrappers

This is because my machine uses PAM and MD5 passwords... And TCP

wrappers

is an all around good idea, I think.  (I could be wrong.)

I hope this helps.

Sincerely,


Chris Ess
System Administrator / CDTT (Certified Duct Tape Technician)



---------------------------------------------------------------------------
----------------------------------------------------------------------------




NOTE: This e-mail is confidential and may also be privileged; under no
circumstances should you forward it, or copy or disclose its contents, to
any other person without the prior consent of the sender. If you are not an
intended recipient of this e-mail, please notify us immediately.
Internet communications are not secure and subject to possible data
corruption, either accidentally or on purpose, and may contain viruses.
Furthermore e-mail is an informal and often abbreviated method of
communication. For these reasons, it will normally be inappropriate to rely
on any information or advice contained herein without also discussing it
with the sender.

(The note below is a Turkish version of the above disclaimer)

NOT: Bu elektronik posta mesaji gizli olup, ayni zamanda ayricalikli
olabilir; sartlar ne olursa olsun, gondericinin onceden onayini almaksizin,
baskalarina iletmemeniz, icerigini kopyalamamaniz veya baskalarina
aciklamamaniz gerekmektedir. Bu mesajin muhatabi degilseniz, bu durumu
derhal tarafimiza bildirmenizi rica ederiz.
Internet uzerinden yapilan iletisim guvenli olmayip, verilerin kasten veya
tesadufen bozulmasi ve virus icermesi olasiligi vardir. Ayrica, elektronik
posta, resmi olmayan ve cogunlukla kisaltilmis bir iletisim yontemidir.
Dolayisiyla, burada yer alan bilgi veya tavsiyelere, gonderici ile ayrica
gorusmeden guvenmeniz normal sartlar altinda uygun olmayacaktir.


---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: