Mailinglist Archive: opensuse-security (601 mails)

< Previous Next >
Re: [suse-security] SuSE security reputation, etc..
  • From: dproc@xxxxxxx
  • Date: Fri, 4 Aug 2000 18:14:52 -0400
  • Message-id: <20000804181452.A12377@xxxxxxxxxxxxxxx>
On Wed, 02 Aug 2000, rhoerbe@xxxxxxxxxxxxxxxx wrote:

> A very common setup for a system with remote maintenance is to use SSH for
> shell access. However, this is insecure, if you keep using ftp and pop for
> the same account with the same password.

I just thought to myself:

Why is this insecure? If you login by SSH to do remote
maintenance, then true, anyone who sniffs your in the clear ftp
and pop passwords can login as you.

But they can only login as you the USER. They can never sniff the
root password, as your "su root" password is always encrypted.

....

and then the penny dropped.

If someone ever logs into your user account. And then you login after
they have done their mischief, and su, then you have just given away
the crown jewels. Oh well.

Not a troll just an observation : Microsoft ftp and pop servers have the
same problem - but those I have used use a separate user database, so
its up to the user to have different passwords.

Let us all admins vow not tor use our /etc/shadow passwords for any
clear text service. 3 cheers IMAP-SSL and scp.

dproc



< Previous Next >
References