l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
September 2: Social Gathering 		Next Installfest:
Sat. Sept. 27, 10am-6pm
 		Latest News:
Aug. 30: September Installfest scheduled 		Page last updated:
2001 Dec 30 17:01
Events
 Meetings
 Installfests
 Demos
 Photos
Services
 Library
 LERT
 Jobs
 Documents
Interact
 Mailing Lists
 - Search
 - Archives
 Chat
About Us
 Members
 Projects
 Testimonials
 Call for Speakers
 Why Not MS?
 Finances
 Sponsors

^Home
?Search
?News & RSS
?Calendar
@Contact Us
$Buy Stuff
=Printable


The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

 Report this post as spam:

(Enter your email address)
Re: [vox-tech] ssh/telnet security question
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] ssh/telnet security question

On Tue, 6 Feb 2001, Micah Cowan wrote:

> On Tue, Feb 06, 2001 at 03:51:14PM -0800, Henry House wrote:
> > On Tue, Feb 06, 2001 at 03:43:08PM -0800, Dale Bewley wrote:
> > > If you find yourself logging in from a windows box you can get a free
> > > client called putty. Search on google.com, it works pretty well and it is
> > > just a single executable, so it's convenient.
> > 
> > There exists a similar app for Macintosh called NiftyTelnetSSH.
> > 
> > Also, some people may not know that if you run ssh-keygen, copy the resulting
> > file ~/.ssh/identity.pub to <remote host>:~/.ssh/authorized_keys, then you
> > can log in without typing in your password. May compromise security slightly,
> > but if it means that you migrate away from rcp, rsh, etc., that's still a big
> > win.
> > 
> > -- 
> > Henry House
> > OpenPGP key available from http://hajhouse.org/hajhouse.asc
> 
> Doesn't compromise security at all, unless
> 
> (a) you leave authorized_keys as world- or group- readable, or
> (b) you can't trust root (in which case, heaven help you, because root
>     can always peek into memory to find ssh's unencrypted data.
> 
> Exactly as trustworthy as the X authority keys, I believe.

... yes... if you use the same password everywhere, then once it is
cracked once, all of your accounts are cracked.  Alternatively, if you
have authorized_keys without passphrases, any one of the login passwords
gives the cracker access to all your accounts.

Of course, as long as you stay inside ssh tunnels, your passwords will be
that much harder to obtain anyway.  Just watch for excessive failed login
attempts.

---------------------------------------------------------------------------
Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<jdnewmil@dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
Work:<JeffN@endecon.com>              Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k
---------------------------------------------------------------------------

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

 CD Burns Wanted!

LUGOD: Linux Users' Group of Davis
1105 Kennedy Place, Suite 1, Davis, CA 95616
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

 Sponsored in part by:
PC Memory Store
PC Memory Store donated give-aways to LUGOD in early 2008.