Date: Thu, 31 May 2001 18:37:32 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Crist Clark <crist.clark@globalstar.com> Cc: "f.johan.beisser" <jan@caustic.org>, Alex Holst <a@area51.dk>, freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010531183732.B12216@xor.obsecurity.org> In-Reply-To: <3B16E7D9.3E9B78FF@globalstar.com>; from crist.clark@globalstar.com on Thu, May 31, 2001 at 05:54:49PM -0700 References: <Pine.BSF.4.21.0105311727160.66343-100000@pogo.caustic.org> <3B16E7D9.3E9B78FF@globalstar.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--s/l3CgOIzMHHjg/5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, May 31, 2001 at 05:54:49PM -0700, Crist Clark wrote: > *sigh* >=20 > You cannot 'record passphrases.' RSA authentication uses public key > cryptography. The client, the person logging in, proves it knows a=20 > secret, the private key, without ever revealing it to the server who > only knows the public key. The ssh client on the sourceforge machine was trojaned; when the user entered their private key passphrase on the compromised machine (in order for the client to decrypt the private key and then perform RSA handshake with the server) it stored a copy. Once you have access to that credential you can use it to impersonate that user to other systems which trust it. > The use of public key crypto allows you to log into potentially=20 > untrusted servers without revealing your secret. But if you log in FROM an untrusted system using SSH and an authentication protocol which uses a persistent credential token on the client side (e.g. UNIX passphrase, RSA key, but not e.g. OPIE) then all bets are off because you must give the malicious client access to that credential in order for it to authenticate on your behalf. Kris --s/l3CgOIzMHHjg/5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7FvHcWry0BWjoQKURAkw9AJ4oPK/aw9a5Lzcfh3o8Ng4OKYAz0ACfS0U+ RciCaLUaqOwUFOW4vOIeCrw= =OAUl -----END PGP SIGNATURE----- --s/l3CgOIzMHHjg/5-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010531183732.B12216>