PasswordAuthentication yes in sshd_config - SSH

This is a discussion on PasswordAuthentication yes in sshd_config - SSH ; Is that a security risk? Will password be revealed by a dump program? Thank you...

+ Reply to Thread
Results 1 to 6 of 6

Thread: PasswordAuthentication yes in sshd_config

  1. PasswordAuthentication yes in sshd_config

    Is that a security risk? Will password be revealed by a dump program?
    Thank you


  2. Re: PasswordAuthentication yes in sshd_config

    MikeHT wrote:
    > Is that a security risk? Will password be revealed by a dump program?
    > Thank you
    >


    No, not really. Unless you did something stupid in your configuration,
    the password will be sent encrypted and can't be easily sniffed.
    Public keys are better, however, since there you never send the key at all.


    Chris Mattern

  3. Re: PasswordAuthentication yes in sshd_config

    MikeHT wrote:
    > Is that a security risk? Will password be revealed by a dump program?
    > Thank you
    >

    No, but in public accessible server will be compromise by
    dictionary/brute force attacks.

  4. Re: PasswordAuthentication yes in sshd_config

    "MikeHT" writes:

    >Is that a security risk? Will password be revealed by a dump program?
    >Thank you


    If the user is able to dump the program he is root, and everything is open
    anyway. dump is the least of your worries.

    The purpose of ssh is to protect against eavesdropping from outside. It
    does not protect at all from someone who has control of the machine it is
    run on.



  5. Re: PasswordAuthentication yes in sshd_config

    In article <44c7b2df$0$15876$4fafbaef@reader2.news.tin.it>,
    brontolo wrote:
    >MikeHT wrote:
    >> Is that a security risk? Will password be revealed by a dump program?
    >> Thank you
    >>

    >No, but in public accessible server will be compromise by
    >dictionary/brute force attacks.


    No, brute force only, and if the key is long enough (e.g. 1024-bit RSA)
    then that is infeasible.

    Dictionary is only appropriate when you have obtained a private key
    encrypted with a password/phrase.

    Tony


  6. Re: PasswordAuthentication yes in sshd_config

    >>>>> "Tony" == Tony writes:

    Tony> In article <44c7b2df$0$15876$4fafbaef@reader2.news.tin.it>,
    Tony> brontolo wrote:
    >> MikeHT wrote:
    >>> Is that a security risk? Will password be revealed by a dump
    >>> program? Thank you
    >>>

    >> No, but in public accessible server will be compromise by
    >> dictionary/brute force attacks.


    Tony> No, brute force only, and if the key is long enough
    Tony> (e.g. 1024-bit RSA) then that is infeasible.

    Tony> Dictionary is only appropriate when you have obtained a private
    Tony> key encrypted with a password/phrase.

    You missed the point. He's talking about password authentication, not
    publickey.

    --
    Richard Silverman
    res@qoxp.net


+ Reply to Thread