[Gllug] SSH is Not Secure!

[Nix]

On Tue, 24 Jul 2001, Alex Hudson said:
> How many people around here are going to own up to having
> two-character-or-less passwords??

It's the crypted form that the problem arises with, so this means that
starred-out accounts are vulnerable.

Just another reason not to use commercial SSH... :)

> I did like the quote in the article...
> 
> 	"A two-character password ..[is].. common for several
> 	 administrative accounts .."
> 
> Not in my place for work they aren't ;)

No? None of your system accounts are starred out? Not even bin, daemon,
or nobody?

> Let's face it, you could probably brute-force such an account anyway, unless

No. These are not crypt()able (of course)

> the IDS got wise and notified sysadmin before it happened... it's probably
> only going to contain lowercase letters too, if the sysadmins are lazy
> enough to create twocharacter passwords. 26x26.. I like those odds...

`NP' as a crypted password is common on, e.g. Suns; `!!' and especially
`*' elsewhere. All are vulnerable.

-- 
`It's all about bossing computers around. Users have to say "please".
Programmers get to say "do what I want NOW or the hard disk gets it".'
                        -- Richard Heathfield on the nature of programming

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug