[lug] RSAAuthentication (was: Possible compromise?)
Bear Giles
bgiles at coyotesong.com
Mon Jan 27 11:06:00 MST 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rob Nagler wrote:
| I booted the machine this morning, and the root password was empty.
| Even though shadow passwords are enabled, a blank means anybody can
| get in. You need an "x" in the password to force the shadow lookup.
| And, sshd won't allowed you in without a password, but PAM (or
| whatever) will let you in with any password when none is required.
This is where RSAAuthentication comes in. Even if the PAM layer
is blown, requiring known host and user keys in sshd_config will
limit your exposure. You can even set up the server to use
RSAAuthentication in place of passwords, but you'll still need the
~ nsswitch layer working to get user information.
(If you're worried about security, you could still put the user
key on a USB thumb drive and require a passphrase. I think
there's also support for smart cards.)
The other question is why you allow remote root logins, but I'm
sure that was just for testing purposes. :-)
Bear
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE+NXUImr0uXf8FxOURAvaPAJ0aOSu09aHcCnbJ5wMBvaAQLtaElACgkeTk
yyg6Uh3ZfKwraZMRyXpjRko=
=CWeM
-----END PGP SIGNATURE-----
More information about the LUG
mailing list