Andrew Lentvorski wrote: > James G. Sack (jim) wrote: >> LWN has an article and some useful comments engendered by a ssh attack >> which installs some kind of rootkit called phalanx2. >> http://lwn.net/Articles/295712/ >> >> It is curious(!) that the referenced cert advisory at >> http://www.us-cert.gov/current/#ssh_key_based_attacks >> >> includes words that seem to recommend disabling(!!) key-based >> authentication. I think the most sensible interpretation is that >> key-based authentication should be disabled on hosts where penetration >> _may_ have occurred -- but that doesn't seem right either. Maybe, they >> are recommending that on a critical system until users and keys can be >> re-verified. >> >> Some of the comments cover strategies previously mentioned in a recent >> ssh thread here. > > Basically, once an attacker goes root, all keys on the machine are > compromised. That's not a surprise. > > A password doesn't get around this either, if the attacker has root, > you're sniffed. Game, set, match. > > The only thing which would get around this is an external factor > authentication system. For example, a keycard with changing PIN's. > > Again, it's all about security vs. convenience vs. expense. > > From my point of view, I'd probably try SecurID if it wasn't so blasted > expensive.
<heh> It is (umm..) entertaining to go to http://www.google.com/products?q=SecurID&show=dd&price1=&price2=&scoring=pd&btnG=Go&output=html and toggle the sort order between low-to-hi and hi-to-low price. ..j -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
