[pypy-dev] danger on codespeak / password change neccessary!
aleaxit at yahoo.com
Fri Feb 6 17:49:34 CET 2004
On Friday 06 February 2004 05:13 am, Christian Tismer wrote:
> holger krekel wrote:
> > hello users of codespeak,
> [lots 'o trouble, sorry to hear that]
> > sorry for the inconvenience,
> My immediate reaction would be to disallow password
> only logins via ssh and to enforce to use keys with
> non-empty passphrases.
*blink* how do you force sshd to only accept keys with non-empty passphrases?
The passphrase is a client-side issue, not under the control of the server's
system administrator. Having sshd only accept authentication by key and not
by password would indeed strengthen security a bit (but unless all clients use
passphrases and/or keep their private keys securely -- nowadays, this means on
a USB key of some sort, such as those that they're starting to build into
wristwatches, pens, etc -- only a bit).
> Also don't use email without encryption to give new
> passwords out. I have been hosed by this two times
> (last millennium of course :-)
However, it's quite safe for a server's sysadm to receive ssh public keys in
unencrypted email. The worst a baddy can do upon intercepting that is allow
the client to login to the baddy's computer in a man-in-the-middle attempt,
but he could do that easily anyway with a tweaked sshd that accepts any
private key -- the real defenses against MitM attacks are others (including
client's awareness of the server's identification key...!!!).
More information about the Pypy-dev