On Wed, 02 Aug 2000, rhoerbe@netpromote.co.at wrote:
A very common setup for a system with remote maintenance is to use SSH for shell access. However, this is insecure, if you keep using ftp and pop for the same account with the same password.
I just thought to myself: Why is this insecure? If you login by SSH to do remote maintenance, then true, anyone who sniffs your in the clear ftp and pop passwords can login as you. But they can only login as you the USER. They can never sniff the root password, as your "su root" password is always encrypted. .... and then the penny dropped. If someone ever logs into your user account. And then you login after they have done their mischief, and su, then you have just given away the crown jewels. Oh well. Not a troll just an observation : Microsoft ftp and pop servers have the same problem - but those I have used use a separate user database, so its up to the user to have different passwords. Let us all admins vow not tor use our /etc/shadow passwords for any clear text service. 3 cheers IMAP-SSL and scp. dproc