Re: Apache Software Foundation Server compromised, resecured. (fwd)

From: David Taylor (davidt@yadt.co.uk)
Date: 06/01/01

• Next message: Michael Han: "Re: Apache Software Foundation Server compromised, resecured. (fwd)"
• Previous message: Karsten W. Rohrbach: "Re: Apache Software Foundation Server compromised, resecured. (fwd)"
• In reply to: Karsten W. Rohrbach: "Re: Apache Software Foundation Server compromised, resecured. (fwd)"
• Next in thread: Kris Kennaway: "Re: Apache Software Foundation Server compromised, resecured. (fwd)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 1 Jun 2001 15:24:48 +0100
From: David Taylor <davidt@yadt.co.uk>
To: "Karsten W. Rohrbach" <karsten@rohrbach.de>

On Fri, 01 Jun 2001, Karsten W. Rohrbach wrote:
> this does not lead to a big tragedy since the agent protocol is
> challenge-response. a challenge is sent by the remote peer, the agent
> signs it using the local identity and send the response back to the
> remote peer. the remote side checks the signed response against the
> public key and if it matches c'est ca. if this way of authentication
> has to be considered dangerous, public key crypto is, since you could
> not give away you public key, then ;-) the private key is never ever
> presented to an entity on a remote system.
>

public key crypto _would_ be dangerous if you automatically signed anything
an untrusted remote host threw at you.

Now, if ssh-agent were to ask you if it should sign the challenge each time,
that'd help. But if the remote ssh binary is trojaned, it could be designed
to inject arbitrary commands into your session, so it wouldn't help very
much.

If you're allowing an untrusted machine to make a connection to another
machine, its insecure, basically.

-- 
David Taylor
davidt@yadt.co.uk
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Next message: Michael Han: "Re: Apache Software Foundation Server compromised, resecured. (fwd)"
• Previous message: Karsten W. Rohrbach: "Re: Apache Software Foundation Server compromised, resecured. (fwd)"
• In reply to: Karsten W. Rohrbach: "Re: Apache Software Foundation Server compromised, resecured. (fwd)"
• Next in thread: Kris Kennaway: "Re: Apache Software Foundation Server compromised, resecured. (fwd)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: SSH and SFTP configuration ... What I really want to do is use SFTP from a batch job. ... UNIX, Linux, AIX, VMS, and MVS. ... you have to convert the public key you created. ... These conversions can also be done on the remote site, but, at least ... (comp.os.vms) Re: Can not login to remote SSH server using ssh2_auth_pubkey_file ... remote PC, so username/password is not an option for me ... they could be in the wrong format - but you almost certainly did ... remote server or the private key being encrypted. ... public key I do not mention that I've added ... (comp.lang.php) Re: Can not login to remote SSH server using ssh2_auth_pubkey_file ... Well it still does not work even if I change my public key file. ... remote PC, so username/password is not an option for me ... they could be in the wrong format - but you almost certainly did use OpenSSH so the keys should be OK. ... (comp.lang.php) Re: Can not login to remote SSH server using ssh2_auth_pubkey_file ... remote PC, so username/password is not an option for me ... Have the public key installed on the remote server in the user's ... remote server or the private key being encrypted. ... (comp.lang.php)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint