PasswordAuthentication yes in sshd_config

Printable View

10-03-2007, 03:50 AM
unix

PasswordAuthentication yes in sshd_config

Is that a security risk? Will password be revealed by a dump program?
Thank you
10-03-2007, 03:50 AM
unix

Re: PasswordAuthentication yes in sshd_config

MikeHT wrote:[color=blue]
> Is that a security risk? Will password be revealed by a dump program?
> Thank you
>[/color]

No, not really. Unless you did something stupid in your configuration,
the password will be sent encrypted and can't be easily sniffed.
Public keys are better, however, since there you never send the key at all.

Chris Mattern
10-03-2007, 03:50 AM
unix

Re: PasswordAuthentication yes in sshd_config

MikeHT wrote:[color=blue]
> Is that a security risk? Will password be revealed by a dump program?
> Thank you
>[/color]
No, but in public accessible server will be compromise by
dictionary/brute force attacks.
10-03-2007, 03:50 AM
unix

Re: PasswordAuthentication yes in sshd_config

"MikeHT" <mike2.li@gmail.com> writes:
[color=blue]
>Is that a security risk? Will password be revealed by a dump program?
>Thank you[/color]

If the user is able to dump the program he is root, and everything is open
anyway. dump is the least of your worries.

The purpose of ssh is to protect against eavesdropping from outside. It
does not protect at all from someone who has control of the machine it is
run on.
10-03-2007, 03:50 AM
unix

Re: PasswordAuthentication yes in sshd_config

In article <44c7b2df$0$15876$4fafbaef@reader2.news.tin.it>,
brontolo <brontolo@foo.bar> wrote:[color=blue]
>MikeHT wrote:[color=green]
>> Is that a security risk? Will password be revealed by a dump program?
>> Thank you
>>[/color]
>No, but in public accessible server will be compromise by
>dictionary/brute force attacks.[/color]

No, brute force only, and if the key is long enough (e.g. 1024-bit RSA)
then that is infeasible.

Dictionary is only appropriate when you have obtained a private key
encrypted with a password/phrase.

Tony
10-03-2007, 03:50 AM
unix

Re: PasswordAuthentication yes in sshd_config

>>>>> "Tony" == Tony <tony@ali.UUCP> writes:

Tony> In article <44c7b2df$0$15876$4fafbaef@reader2.news.tin.it>,
Tony> brontolo <brontolo@foo.bar> wrote:[color=blue][color=green]
>> MikeHT wrote:[color=darkred]
>>> Is that a security risk? Will password be revealed by a dump
>>> program? Thank you
>>>[/color]
>> No, but in public accessible server will be compromise by
>> dictionary/brute force attacks.[/color][/color]

Tony> No, brute force only, and if the key is long enough
Tony> (e.g. 1024-bit RSA) then that is infeasible.

Tony> Dictionary is only appropriate when you have obtained a private
Tony> key encrypted with a password/phrase.

You missed the point. He's talking about password authentication, not
publickey.

--
Richard Silverman
[email]res@qoxp.net[/email]