Re: [pypy-dev] danger on codespeak / password change neccessary!

Tue, 10 Feb 2004 10:00:52 -0800

Alex Martelli wrote:

On Friday 06 February 2004 05:13 am, Christian Tismer wrote:

holger krekel wrote:

hello users of codespeak,

[lots 'o trouble, sorry to hear that]


sorry for the inconvenience, 

My immediate reaction would be to disallow password
only logins via ssh and to enforce to use keys with
non-empty passphrases.

*blink* how do you force sshd to only accept keys with non-empty passphrases? 

Unfortunately, the only thing you can do about it is to
beg, of course.

The passphrase is a client-side issue, not under the control of the server's system administrator. Having sshd only accept authentication by key and not
by password would indeed strengthen security a bit (but unless all clients use
passphrases and/or keep their private keys securely -- nowadays, this means on
a USB key of some sort, such as those that they're starting to build into
wristwatches, pens, etc -- only a bit). 

Well, I think it's a bit more, even without a phrase.
Although ssh encrypts passwords as well, these are
exposed to other services, and people tend to
use the same passwords in many places.
The fact that the user has to use a special key
makes this access method less vulnerable per se.
There is nothing to be sniffed elsewhere and used here.

Also don't use email without encryption to give new
passwords out. I have been hosed by this two times
(last millennium of course :-)

However, it's quite safe for a server's sysadm to receive ssh public keys in unencrypted email. The worst a baddy can do upon intercepting that is allow
the client to login to the baddy's computer in a man-in-the-middle attempt,
but he could do that easily anyway with a tweaked sshd that accepts any
private key -- the real defenses against MitM attacks are others (including
client's awareness of the server's identification key...!!!).

Nice to see the two of us on the same side!

cheers - chris

--
Christian Tismer             :^)   <mailto:[EMAIL PROTECTED]>
Mission Impossible 5oftware  :     Have a break! Take a ride on Python's
Johannes-Niemeyer-Weg 9a     :    *Starship* http://starship.python.net/
14109 Berlin                 :     PGP key -> http://wwwkeys.pgp.net/
work +49 30 89 09 53 34  home +49 30 802 86 56  mobile +49 173 24 18 776
PGP 0x57F3BF04       9064 F4E1 D754 C2FF 1619  305B C09C 5A3B 57F3 BF04
     whom do you want to sponsor today?   http://www.stackless.com/


_______________________________________________
[EMAIL PROTECTED]
http://codespeak.net/mailman/listinfo/pypy-dev

Reply via email to