MikeHT wrote:
> Is that a security risk? Will password be revealed by a dump program?
> Thank you
>

No, not really. Unless you did something stupid in your configuration,
the password will be sent encrypted and can't be easily sniffed.
Public keys are better, however, since there you never send the key at all.


Chris Mattern

MikeHT wrote:
> Is that a security risk? Will password be revealed by a dump program?
> Thank you
>
No, but in public accessible server will be compromise by
dictionary/brute force attacks.

"MikeHT" writes:

>Is that a security risk? Will password be revealed by a dump program?
>Thank you

If the user is able to dump the program he is root, and everything is open
anyway. dump is the least of your worries.

The purpose of ssh is to protect against eavesdropping from outside. It
does not protect at all from someone who has control of the machine it is
run on.

In article <44c7b2df$0$15876$4fafbaef@reader2.news.tin.it>,
brontolo wrote:
>MikeHT wrote:
>> Is that a security risk? Will password be revealed by a dump program?
>> Thank you
>>
>No, but in public accessible server will be compromise by
>dictionary/brute force attacks.

No, brute force only, and if the key is long enough (e.g. 1024-bit RSA)
then that is infeasible.

Dictionary is only appropriate when you have obtained a private key
encrypted with a password/phrase.

Tony

>>>>> "Tony" == Tony writes:

Tony> In article <44c7b2df$0$15876$4fafbaef@reader2.news.tin.it>,
Tony> brontolo wrote:
>> MikeHT wrote:
>>> Is that a security risk? Will password be revealed by a dump
>>> program? Thank you
>>>
>> No, but in public accessible server will be compromise by
>> dictionary/brute force attacks.

Tony> No, brute force only, and if the key is long enough
Tony> (e.g. 1024-bit RSA) then that is infeasible.

Tony> Dictionary is only appropriate when you have obtained a private
Tony> key encrypted with a password/phrase.

You missed the point. He's talking about password authentication, not
publickey.

--
Richard Silverman
res@qoxp.net