[Gllug] RSA or DSA

[Alain Williams]

On Tue, May 17, 2005 at 11:41:31PM +0100, Nix wrote:
> On Tue, 17 May 2005, Alain Williams announced authoritatively:
> > Whatever the reason you are failing to login - you SHOULD NOT attempt to do
> > what you are trying above -- login to a remote machine over the Internet as ROOT !!!
> > This what would happen if your laptop/workstation got owned/compromised ? All the
> > other machines would be compromised as well.
> 
> Well, to be honest, if you're sshing in, they're not likely to crack the
> comms channel, and if they've trojaned your ssh or sshd or are keylogging
> you, they'll catch you just as well if you su.

Nah - don't need to hack the binaries or keylog or crack the comms channel.
If they gain access to your machine when you are logged in and become you (or root),
All that they need to do is to work out what to set $SSH_AGENT_PID and $SSH_AUTH_SOCK
(neither of which is difficult) then they use your active ssh-agent to log in to
other machines without quoting a password and without knowing your passphrase.

Thus being forced to quote a root password on the other box really does make
things more difficult for them.

> For unencrypted logins, I agree, and I do have the habit of
> ssh-and-then-su, but the sole advantage of that now is auditing, I think
> (i.e. you can see who used su).

I agree that that is also a very good reason for doing it.

-- 
Alain Williams
Parliament Hill Computers Ltd.
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256

#include <std_disclaimer.h>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20050517/2be8bd74/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug