From the remoteadmin box, you build up a VPN and make the ssh session
On Wed, 9 Jan 2002, Douglas Trainor wrote:
You might browse this paper:
"Timing Analysis of Keystrokes and Timing Attacks on SSH" by Dawn Xiaodong Song, David Wagner, and Xuqing Tian. 10th USENIX Security Symposium, 2001. They're from UCB and they're smart.
This would be an argument against logging in as a normal user and then su to root wouldn't it? As I remember from a talk I heard lately it is rather easy to identify when a password is typed after you logged in. That's where you can use timing analysis. The password you type into ssh before you log in is sent in one batch in the login procedure.
If I su to root after logging in via ssh then I am still
Hi,
If we really want to talk paranoia :-), you could do it like that:
Put a box with some kind of VPN functionality in front of the server or do
it directly on the server in question. Allow ssh only through this tunnel.
through this tunnel. For the VPN, you can use some kind of key
authentication, for the ssh you can use normal username/password login.
Your gain is:
- someone must penetrate first your VPN
- after that, they have to do the ssh-password trick
- from network traffic analysis, the sniffer can't see, what kind of data is
transmitted to the server
- portscans won't reveal ssh
Regards
Reto Inversini
----- Original Message -----
From: "Robert Casties"
root password (although it is encrypted). From a security standpoint, what's the difference in exposure?
The argument against allowing direct login to root are guessing attacks to the password. The attacker can try all sorts of passwords and if he gets it right he's root.
If root's not allowed to login directly the attacker has to know any username first and if he breaks the password by guessing then he's only user (at first). On the other hand there are the timing attacks mentioned above (which I consider rather low risk).
If you use any sort of key authentication no password will be sent ever but you really have to guard your keys.
Cheers Robert
-- Robert Casties --------------------- http://philoscience.unibe.ch/~casties History & Philosophy of Science Tel: +41/31/631-8505 Room: 216 Institute for Exact Sciences Sidlerstrasse 5, CH-3012 Bern Uni Bern (PGP key on homepage: 3C7E CAA6 0A2A 6955 AA25)
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com