Re: Sniffing SSH and HTTPS
On Tue, Aug 28, 2001 at 05:57:39PM -0600, Hubert Chan wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Richard == Richard [EMAIL PROTECTED] writes: [...] Richard There also an analasis of the ssh packetstream Richard revealing the number of chars in the passwd. Small clarification: this may reveal the number of characters in any password that you type _within_ the ssh session. This does not affect the password that you use to initially log in, as the whole password is sent in one packet. indeed. Of course, the attacker would need to know that you are typing in a password at that time. Ahhh, but this is quite easily guessable, since for most stuff you type, the server echos it. For passwords, it doesn't. i.e. just watch the SSH session, and when you see packets going to the server that aren't being echoed you know the person is typing a password and you can count the characters. Richard Attacks can still be done when the fingerprint is Richard unkown (e.g. first connect to the box) Yes, and to answer the OP's second question (how to make ssh secure), copy the server's public key over a known secure channel (e.g. if you're at work, get the admin to stick it on a floppy for you), or get the fingerprint over a known secure channel (e.g. phone the admin and ask for the fingerprint). And make SSH refuse to connect if it doesn't have the server in /etc/ssh/known_hosts. Richard or brute-force on fingerprint / rsa / dsa. And if you manage to brute-force the fingerprint/rsa/dsa, we've got problems. :) The problem with man in the middle attacks is that people far too easily click on Yes when asked to accept a key that has changed (or type in yes when asked a similar question by SSH.) i.e. you should make sure you copy the relevant keys over a secure channel (as mentioned above) and then make sure your client is configured not to work if it doesn't have the server's key already. This doesn't work when you want to connect to some arbitrary secure web site, though. -- Michael Wood [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Sniffing SSH and HTTPS
Michael == Michael Wood [EMAIL PROTECTED] writes: Michael Ahhh, but this is quite easily guessable, since for most Michael stuff you type, the server echos it. For passwords, it Michael doesn't. i.e. just watch the SSH session, and when you see Michael packets going to the server that aren't being echoed you know Michael the person is typing a password and you can count the Michael characters. Frightening that echoing *'s for the password could actually have security *advantages*. -Eric -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Sniffing SSH and HTTPS
On Wed, Aug 29, 2001 at 01:40:20PM +0100, Eric E Moore wrote: Michael == Michael Wood [EMAIL PROTECTED] writes: Michael Ahhh, but this is quite easily guessable, since for most Michael stuff you type, the server echos it. For passwords, it Michael doesn't. i.e. just watch the SSH session, and when you see Michael packets going to the server that aren't being echoed you know Michael the person is typing a password and you can count the Michael characters. Frightening that echoing *'s for the password could actually have security *advantages*. OpenSSH 2.something (2.5.2 i think) added a mechenism where it sends random noop packets back and forth, so it becomes difficult to impossible to determine when a password is being typed, it also throws a monkey wrench in this whole `sniffing encrypted sessions' nonsense. Solar Designer's analysis talked about this iirc. -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
gnupg fingerprint
Hi all. I´m using gnupg and I want to know if is possible to add a key to my trusted ring from a key fingerprint. thanks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Can someone help a Newbie
Hi, I have noticed recently that attempted connections to my box aren't being logged in syslog. I haven't changed anything since install it appeared ok then, I have had friends try connecting while they get refused, I don't see a corresponding line for the refusal, I used to use RH while this was all located in messages, I could grep through come up with all the attempts. Is there something I haven't turned on? Or are the ipchains logging to yet another file? Regards, 1h0p1355 N3w813 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Can someone help a Newbie
cdpye, 2001-Aug-30 15:19 +1000: Hi, I have noticed recently that attempted connections to my box aren't being logged in syslog. I haven't changed anything since install it appeared ok then, I have had friends try connecting while they get refused, I don't see a corresponding line for the refusal, I used to use RH while this was all located in messages, I could grep through come up with all the attempts. Is there something I haven't turned on? Or are the ipchains logging to yet another file? Regards, 1h0p1355 N3w813 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] Hmmm...telnet logins should be logged in syslog, failed logins for telnet along with successful and failed ssh, pam and su logins are logged in /var/log/auth.log. Check there. jc -- Jeff CoppockNortel Networks Systems Engineerhttp://nortelnetworks.com Major Accts.Santa Clara, CA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Open SSL Certificate
Can anybody tell me how to create a Certificate Signature Request using openssl ?? I have tried /etc/ssl# openssl req openssl.cnf test But get the following error Using configuration from /usr/lib/ssl/openssl.cnf unable to load X509 request 857:error:02001002:system library:fopen:system lib:bss_file.c:103:fopen('/root/. oid','r') 857:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:105: 857:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:610: :o( Marcel
Re: Open SSL Certificate
The OpenSSL web site (http://www.openssl.org) has some rather good documentation on how to generate the certificates and setting up a CA... Jeremy On Wed, Aug 29, 2001 at 12:09:20PM +0800, Marcel Welschbillig wrote: Can anybody tell me how to create a Certificate Signature Request using openssl ?? I have tried /etc/ssl# openssl req openssl.cnf test But get the following error Using configuration from /usr/lib/ssl/openssl.cnf unable to load X509 request 857:error:02001002:system library:fopen:system lib:bss_file.c:103:fopen('/root/. oid','r') 857:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:105: 857:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:610: :o( Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[Fwd: Re: Open SSL Certificate]
Just answering my own question incase it helps anyone, the following command did it for me ! openssl req -new -out cert.csr Too easy. PS Thanks Jeremy for puting me on to www.openssl.org Marcel Original Message Subject: Re: Open SSL Certificate Date: Tue, 28 Aug 2001 21:25:06 -0700 From: Jeremy B [EMAIL PROTECTED] To: Marcel Welschbillig [EMAIL PROTECTED] CC: debian-security debian-security@lists.debian.org References: [EMAIL PROTECTED] The OpenSSL web site (http://www.openssl.org) has some rather good documentation on how to generate the certificates and setting up a CA... Jeremy On Wed, Aug 29, 2001 at 12:09:20PM +0800, Marcel Welschbillig wrote: Can anybody tell me how to create a Certificate Signature Request using openssl ?? I have tried /etc/ssl# openssl req openssl.cnf test But get the following error Using configuration from /usr/lib/ssl/openssl.cnf unable to load X509 request 857:error:02001002:system library:fopen:system lib:bss_file.c:103:fopen('/root/. oid','r') 857:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:105: 857:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:610: :o( Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Sniffing SSH and HTTPS
On Tue, Aug 28, 2001 at 05:57:39PM -0600, Hubert Chan wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Richard == Richard [EMAIL PROTECTED] writes: [...] Richard There also an analasis of the ssh packetstream Richard revealing the number of chars in the passwd. Small clarification: this may reveal the number of characters in any password that you type _within_ the ssh session. This does not affect the password that you use to initially log in, as the whole password is sent in one packet. indeed. Of course, the attacker would need to know that you are typing in a password at that time. Ahhh, but this is quite easily guessable, since for most stuff you type, the server echos it. For passwords, it doesn't. i.e. just watch the SSH session, and when you see packets going to the server that aren't being echoed you know the person is typing a password and you can count the characters. Richard Attacks can still be done when the fingerprint is Richard unkown (e.g. first connect to the box) Yes, and to answer the OP's second question (how to make ssh secure), copy the server's public key over a known secure channel (e.g. if you're at work, get the admin to stick it on a floppy for you), or get the fingerprint over a known secure channel (e.g. phone the admin and ask for the fingerprint). And make SSH refuse to connect if it doesn't have the server in /etc/ssh/known_hosts. Richard or brute-force on fingerprint / rsa / dsa. And if you manage to brute-force the fingerprint/rsa/dsa, we've got problems. :) The problem with man in the middle attacks is that people far too easily click on Yes when asked to accept a key that has changed (or type in yes when asked a similar question by SSH.) i.e. you should make sure you copy the relevant keys over a secure channel (as mentioned above) and then make sure your client is configured not to work if it doesn't have the server's key already. This doesn't work when you want to connect to some arbitrary secure web site, though. -- Michael Wood [EMAIL PROTECTED]
Re: Sniffing SSH and HTTPS
Michael == Michael Wood [EMAIL PROTECTED] writes: Michael Ahhh, but this is quite easily guessable, since for most Michael stuff you type, the server echos it. For passwords, it Michael doesn't. i.e. just watch the SSH session, and when you see Michael packets going to the server that aren't being echoed you know Michael the person is typing a password and you can count the Michael characters. Frightening that echoing *'s for the password could actually have security *advantages*. -Eric
Re: Sniffing SSH and HTTPS
On Wed, Aug 29, 2001 at 01:40:20PM +0100, Eric E Moore wrote: Michael == Michael Wood [EMAIL PROTECTED] writes: Michael Ahhh, but this is quite easily guessable, since for most Michael stuff you type, the server echos it. For passwords, it Michael doesn't. i.e. just watch the SSH session, and when you see Michael packets going to the server that aren't being echoed you know Michael the person is typing a password and you can count the Michael characters. Frightening that echoing *'s for the password could actually have security *advantages*. OpenSSH 2.something (2.5.2 i think) added a mechenism where it sends random noop packets back and forth, so it becomes difficult to impossible to determine when a password is being typed, it also throws a monkey wrench in this whole `sniffing encrypted sessions' nonsense. Solar Designer's analysis talked about this iirc. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpAlAQsZTN3c.pgp Description: PGP signature
Re: Sniffing SSH and HTTPS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael == Michael Wood [EMAIL PROTECTED] writes: [...] Michael Ahhh, but this is quite easily guessable, since for most stuff Michael you type, the server echos it. For passwords, it doesn't. Michael i.e. just watch the SSH session, and when you see packets Michael going to the server that aren't being echoed you know the Michael person is typing a password and you can count the characters. IIRC, this was one of the problems with SSH1 that was fixed in SSH2 (the protocol version, not the program version). I think that SSH2 will always send back some packet to the client -- either a dummy packet, or a real packet. Dang, can't remember where I read that. [...] Michael The problem with man in the middle attacks is that people far Michael too easily click on Yes when asked to accept a key that has Michael changed (or type in yes when asked a similar question by Michael SSH.) Yup. The biggest security hole is social engineering. - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/651854DF71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7jSYIZRhU33H9o38RAgqkAJ9QAkW31iBbfZHc4ePFawCJU7p/OgCfT8TE 0mHADg7i8JXiwWdZ9X4HFM4= =Hdhc -END PGP SIGNATURE-
gnupg fingerprint
Hi all. I´m using gnupg and I want to know if is possible to add a key to my trusted ring from a key fingerprint. thanks
Re: gnupg fingerprint
On Wed, Aug 29, 2001 at 09:46:29PM -0300, Eduardo Gargiulo wrote: Hi all. I´m using gnupg and I want to know if is possible to add a key to my trusted ring from a key fingerprint. I'm not sure what you mean by your trusted ring. If you just want to get their public key into your keyring, try doing gpg --recv-key followed by their key ID. The key ID is the last 8 characters of the fingerprint (so my key ID, as seen in the fingerprint in my sig, is EBD5936B). I hope that helps. -- Steven Barker [EMAIL PROTECTED] Non-Determinism is not meant to be reasonable. -- M.J. 0'Donnell GnuPG public key: http://www.students.uiuc.edu/~scbarker/pubkey.asc Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B