Mailinglist Archive: opensuse-security (601 mails)

< Previous Next >
AW: [suse-security] SuSE security reputation, etc..
  • From: "OKDesign oHG Security Webmaster" <security@xxxxxxxxxxx>
  • Date: Sat, 5 Aug 2000 20:52:56 +0200
  • Message-id: <BDEBIBCIOPMPINHGJKKPMEJKCBAA.security@xxxxxxxxxxx>
> I just thought to myself:
>
> Why is this insecure? If you login by SSH to do remote
> maintenance, then true, anyone who sniffs your in the clear ftp
> and pop passwords can login as you.
>
> But they can only login as you the USER. They can never sniff the
> root password, as your "su root" password is always encrypted.
>
> ....
>
> and then the penny dropped.
>
> If someone ever logs into your user account. And then you login after
> they have done their mischief, and su, then you have just given away
> the crown jewels. Oh well.

Just one thought:
On our system the only possibility to log in and work on the shell is SSH
with RSA-authentification. So, if someone sniffs the "normal" password,
okay, he can get access to the emails and for ftp-access. But NOT for any
works on the system itself.
Because to log in with SSH, there is a different password necessary.
So, okay, this is not really secure, but at least no one can really harm the
system.

Or am I wrong ???

--- Stephan


< Previous Next >
References