Date: Mon, 24 Jan 2000 10:30:34 +0900 From: sen_ml@eccosys.com To: freebsd-security@FreeBSD.ORG Subject: Re: ssh-feature 'backdoor' Message-ID: <20000124103034W.1000@eccosys.com> In-Reply-To: <20000123210421.A90963@server.nostromo.in-berlin.de> References: <20000119155203.C8404@is.co.za> <20000120002132R.1000@eccosys.com> <20000123210421.A90963@server.nostromo.in-berlin.de>
next in thread | previous in thread | raw e-mail | index | archive | help
ripley> Quoting sen_ml@eccosys.com (sen_ml@eccosys.com): > if you su, don't you have to type in the root password? even if the > session is encrypted, the password still goes over the wire. if you > use rsa key authentication you don't have that particular risk (though > you may have others). ripley> There are alternatives to su which don't need the user to have the ripley> root password. then perhaps those can provide viable alternatives. (btw, do you have any personal recommendations?) at least for the current discussion i was under the impression that su was mentioned explicitly :-) ripley> Besides (assuming encrypted connections) it's not so much a ripley> matter about the password being transferred over the wire i think this is concern is a subject of individual perspective. party a may not care, but party b may. as you can tell, i'm one of those people that is bothered by the password going over the wire, even if in encrypted form. i like things like challenge-and-response authentication and srp. ripley> but whether the user has to know it at all. If he doesn't even ripley> have it, it can't be compromised by the user... isn't the situation similar w/ using rsa authentication and logging in as root (i prefer this set up)? you have to be able to decrypt a certain secret key. if the user can't decrypt some secret key, the user shouldn't be able to get root that way. am i missing an important difference here? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000124103034W.1000>