Re: Apache Software Foundation Server compromised, resecured. (fwd)

From: Dag-Erling Smorgrav (des@ofug.org)
Date: 06/01/01


To: Alex Holst <a@area51.dk>
From: Dag-Erling Smorgrav <des@ofug.org>
Date: 01 Jun 2001 15:40:04 +0200

Alex Holst <a@area51.dk> writes:
> That should be verified often with scanssh or something similar. I was
> surprised when I read about the compromise, because it gives the impression
> that people are still using passwords (as opposed to keys with passphrases)
> for authentication in this day and age.

Keys with passphrases wouldn't have made any difference. The ssh
binary on sourceforge was trojaned, and could have harvested ssh keys
just as easily as passwords.

DES

-- 
Dag-Erling Smorgrav - des@ofug.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • Re: Apache Software Foundation Server compromised, resecured. (fwd)
    ... > gives the impression that people are still using passwords (as ... > opposed to keys with passphrases) for authentication in this day ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)
  • Re: ssh gives "Permission denied, please try again"
    ... as secure as those Debian generated keys... ... If you always pick passwords whose first four letters are 'A' you're ... The point being that keys are not some panacia and those that think they ... lots of people attack passwords, nobody attacks keys. ...
    (uk.comp.os.linux)
  • Re: ssh gives "Permission denied, please try again"
    ... possibly have enough entropy to be secure. ... If you always pick passwords whose first four letters are 'A' you're ... The point being that keys are not some panacia and those that think they ... I've seen a lot of dictionary attacks, ...
    (uk.comp.os.linux)
  • Re: RSA minimum keysize to defend against amateur attacks
    ... We can build word lists with a few thousand words that are in most ... gives about 150-180 bits of entropy. ... three 8-word passphrases, but 15-word passphrases would be difficult. ... I get two 128-bit keys: ...
    (sci.crypt)
  • Re: Any Way to Defeat Cracker Login Attempts? (OS X)
    ... Ssh keys are more secure than passwords. ... By ssh keys I assume you mean PKA keys, unless I am misreading you yet ...
    (comp.sys.mac.system)