MORE SSH Hacking: heads-up
Alexander Dalloz
alexander.dalloz at uni-bielefeld.de
Thu Aug 12 16:43:12 UTC 2004
Am Do, den 12.08.2004 schrieb John Lagrue um 18:18:
> >>>That has the severe downside, that if someone got on the system as an
> >>>unprivileged user he could sniff while you are su'ing to root, which is
> >>>not successful if you ssh in as root using publick key authentication
> >>>rather than password authentication.
> >>Your saying that if you use ssh2 to connect to a server and the su to
> >>root that they can sniff your root password?
> >I believe what he is saying is that if someone is already sniffing, then
> >they will get the root password.
> IN that case might I respectfully suggest that he's wrong. If you
> connect via ssh then all traffic between the ssh client and the server
> is encrypted. So it doesn't matter what is typed in the client -
> sniffing will only give gobblegook.
>
> JDL
I was not speaking about the network transfer between client and server.
I thought this was obvious. I was speaking about the possibility to
locally, on the SSHD system itself, to sniff password entries when
running "su".
Alexander
--
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.7-1.494.2.2smp
Serendipity 18:41:21 up 8 days, 12:09, load average: 1.17, 1.36, 1.29
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040812/5d08d15d/attachment-0001.sig>
More information about the fedora-list
mailing list