l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2003 Aug 10 11:51

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox] password stolen at linuxworld
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox] password stolen at linuxworld

Bummer to hear about this. Hopefully nothing is lost, and the system(s)
can be recovered.

Few people want salt rubbed into wounds, so if you don't then dont read

You want to read an "I Told You So" from August 2001?


'One last thing to point out, as many people new to ssh dont realize:
"SSH is for creating a 'secure' connection over an insecuure network. It
is NOT secure on insecure machines or for securing insecure machines!"'

(I cannot stress the statement above enough. Then there is this paragraph
which is ominously scary as predictions go...)

'So, if you go to a library, ISP, friend's house, or Moscone Center for
MacWorld and use a Java based ssh client to connect to your server or a
client you install on their machine, you could be opening up your server
for a break-in. A keyboard sniffer, or trojaned OS at the site you are
using could grab your password as your type it on the keyboard! SSH is
good for working between machines that you trust, and "own" not so good
with machines you do not own. Security model is just blown out of the
water because it does not seek to solve the problem of making the client
machine secure. (Not its problem to solve, never was.)'

On the positive side,  you are not alone. There are *many* skilled and
educated people who have not considered this and opened themselves up for
breakin by using insecure machines.

Another comment, if you are running an SSH server, you should also set it
up to only permit ssh2 and not ssh1, and of course keep your ssh up to

On some of my servers, I setup a special web page that was available via
htaccess authenticated https that permitted me to open up a hole in the
firewall rules for the IP address from which I was connecting. Then after
a specified time, the hole was automagically closed. It required setting
up a script that utilized a sudo/super based command that could be issued
from "nobody" but it only accepted one argument (a valid ip address) and
anything other than an IP address was removed. This permits a default rule
of deny for ssh so long as people can get to https based web page to open
a hole for their connection. Some day, I might release it, but the
code-base sucks. (This only acts as an extra layer of security to permit a
little more time for me to fix/upgrade my service when an exploit exists
but has not yet been published.)

One more thing... One desire people have in using ssh from remote
locations is checking of e-mail. I would like to suggest you consider
using a webmail based system. I use SquirrelMail and have a separate
userdb for imap authentication. This permits me to use and have a
different password for webmail than I have and use with ssh. If someone
steals my webmail password, they can see my e-mail, but can't read my
pgp/gpg messages, and I can always change my pasword when I later gain
access to a secure machine.


Bill Kendrick said:
> On Sun, Aug 10, 2003 at 04:26:57AM -0700, Ryan Castellucci wrote:
>> Someone at linux world seems to have gotten ahold of my ssh user
>> password
>> from when I used it at linuxworld.
> <snip>
>> I suspect that my password was either sholder surfed (unlikely, it'd be
>> hard
>> to memorize....) or someone was runnning man-in-the-middle attacks, and
>> forced an SSHv1 session to prevent a warning, simply prompting for a new
>> key.
> Ouch!  Is this something any of the rest of us LWE volunteer folks need to
> worry about?  (I logged into my sonic account numerous times from LWE;
> mostly from Melissa's laptop, but also occasionally from other people's
> laptops, I _think_...  it's all such a blur)
> Sorry this happened. :(
> -bill!
> --
> bill@newbreedsoftware.com                           Got kids?  Get Tux
> Paint!
> http://newbreedsoftware.com/bill/
> http://newbreedsoftware.com/tuxpaint/
> _______________________________________________
> vox mailing list
> vox@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox

vox mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.