Date: Sun, 27 May 2001 09:28:48 -0400 From: Bill Moran <wmoran@iowna.com> To: David Banning <david@banning.com> Cc: questions@FreeBSD.ORG Subject: Re: security question Message-ID: <3B110110.FF99F8EC@iowna.com> References: <200105260324.f4Q3OrH00551@d.tracker> <3B0FC0D0.28E01292@iowna.com> <20010527003923.A1691@yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
David Banning wrote: > > A similar scenerio could occur with webmin or ftp. If you'd like to see > > a demonstration, I'd be happy to arrange it, I've done it for other > > folks to scare them into sanity. > How does the demonstration go? Basically, I set up three temporary machines (or set up a temp login on one machine) We assume that I've cracked machine "A" and you then log in to machine "B" via telnet from machine "C". I then show you that I've sniffed your password and can now log into machine "B". To increase the shock value, I can have you su to root via telnet, which then gives me root access to machine "B". For the total demonstration, I repeate the steps with ssh to show that it's not possible to get passwords by sniffing ssh. I've actually only given this demonstration once ... but the guy was VERY surprised/impressed. I guess a lot of folks simply never consider how easy it would be to do this. (p.s. don't try this particular demo if you're running a switch because it won't work.) > > Weigh the cost vrs. risk here. A free windows ssh client like putty > > (http://www.chiark.greenend.org.uk/~sgtatham/putty/) makes you a fool > > not to use ssh. > > OK - I've got it, I've been using the telnet side. I'm just trying > to figure out how to use SSH. From the server side: if you're running FreeBSD later than 4.1.1 (which I recommend) all you have to do is enter sshd_enable="YES" into /etc/rc.conf From another FreeBSD machine, enter "ssh machine.domain.com" to log in remotely. From putty (or any other graphical client) enter the machine name and click the pretty buttons. It really works just like telnet (from a user perspective). It's just that it encrypts everything. Hope this helps. -Bill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B110110.FF99F8EC>