the SSH worm thing
Horst von Brand
vonbrand at inf.utfsm.cl
Wed May 11 21:22:27 UTC 2005
Florin Andrei <florin at andrei.myip.org> said:
> http://www.schneier.com/blog/archives/2005/05/the_potential_f.html
>
> I can't test it right now, but i wonder - what's the default setting on
> FC4, hash the hosts or not?
AFAIK, no OpenSSH has ever used a hash of the host names. Neither has
closed SSH, for that matter.
And I see this as a very mild problem. Yes, for example I have the same
password on a group of machines (small wonder, it's the same account
handled via LDAP + NFS), so cracking one gives access to the others. But if
they cracked my password here they could just try it on "nearby" machines,
with even better results: I haven't connected to all the machines that
share my account. Yes, I also do have accounts on remote machines. The
accounts are not necesarily called the same as this one, and their
passwords are different too.
The /real/ risk is having the same account across machines. I'm quite happy
with it for my personal use. For managing (some of) the machines themselves
I'm not so happy (but they aren't critical, so this is not a huge risk
either).
--
Dr. Horst H. von Brand User #22616 counter.li.org
Departamento de Informatica Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria +56 32 654239
Casilla 110-V, Valparaiso, Chile Fax: +56 32 797513
More information about the fedora-devel-list
mailing list