ssh: Permission denied
Phil Meyer
pmeyer at themeyerfarm.com
Fri Dec 22 21:01:38 UTC 2006
Dylan Semler wrote:
> ...snip...
>
> However, if you use an 8-digit password with capital and lowercase
> letters, numbers, and symbols, there are 8^( 26*2 + 10*2 + 20 ) = 8^92
> = 1.21e83 possible passwords. Since ssh waits about a second after
> each incorrect password and there have been only 3.32e17 seconds in
> the history of the universe, it seems scritcly /impossible/ for a
> password to be guessed. So the risk must not be from password-bots.
> What is the risk then?
That is not the larger danger. The larger danger is that someone will
find and publish an exploit for ssh2 as root That did happen to ssh1,
and is why you should never allow ssh1 protocol to the Internet,
ESPECIALLY if you allow root logins. ssh1 is still supported
(thankfully) for compatibility with older systems. It is not meant to
be used otherwise.
In that case if you allow root logins from ssh an exploiter can access
your system as root, even without password guessing.
It is always best to avoid those possibilities. Turn off ssh1 and root
access via ssh. See my other post in this thread for how to:
>
> Also, right now I set up sudo so it doesn't prompt for passwords, so
> in effect, any user that logs in can become root. Is this very very
> bad as well?
Once a person is on your system, its too late. Its only a minor
inconvenience for the hacker when you disallow sudo, but I do it anyway.
It is most common for a hacker to install a 'root kit' instead. There
are still several that will work. And on older systems ... well he can
just pick one. :)
By allowing open sudo, maybe a bud of yours will install a root kit for
fun when you though he was playing on your new PS3 in there. :)
More information about the fedora-list
mailing list