[pypy-dev] danger on codespeak / password change neccessary!

Christian Tismer tismer at stackless.com
Tue Feb 10 01:33:40 CET 2004


Alex Martelli wrote:

> On Friday 06 February 2004 05:13 am, Christian Tismer wrote:
> 
>>holger krekel wrote:
>>
>>>hello users of codespeak,
>>
>>[lots 'o trouble, sorry to hear that]
>>
>>
>>>sorry for the inconvenience,
>>
>>My immediate reaction would be to disallow password
>>only logins via ssh and to enforce to use keys with
>>non-empty passphrases.
> 
> *blink* how do you force sshd to only accept keys with non-empty passphrases?

Unfortunately, the only thing you can do about it is to
beg, of course.

> The passphrase is a client-side issue, not under the control of the server's 
> system administrator.  Having sshd only accept authentication by key and not
> by password would indeed strengthen security a bit (but unless all clients use
> passphrases and/or keep their private keys securely -- nowadays, this means on
> a USB key of some sort, such as those that they're starting to build into
> wristwatches, pens, etc -- only a bit).

Well, I think it's a bit more, even without a phrase.
Although ssh encrypts passwords as well, these are
exposed to other services, and people tend to
use the same passwords in many places.
The fact that the user has to use a special key
makes this access method less vulnerable per se.
There is nothing to be sniffed elsewhere and used here.

>>Also don't use email without encryption to give new
>>passwords out. I have been hosed by this two times
>>(last millennium of course :-)
> 
> However, it's quite safe for a server's sysadm to receive ssh public keys in 
> unencrypted email.  The worst a baddy can do upon intercepting that is allow
> the client to login to the baddy's computer in a man-in-the-middle attempt,
> but he could do that easily anyway with a tweaked sshd that accepts any
> private key -- the real defenses against MitM attacks are others (including
> client's awareness of the server's identification key...!!!).

Nice to see the two of us on the same side!

cheers - chris

-- 
Christian Tismer             :^)   <mailto:tismer at stackless.com>
Mission Impossible 5oftware  :     Have a break! Take a ride on Python's
Johannes-Niemeyer-Weg 9a     :    *Starship* http://starship.python.net/
14109 Berlin                 :     PGP key -> http://wwwkeys.pgp.net/
work +49 30 89 09 53 34  home +49 30 802 86 56  mobile +49 173 24 18 776
PGP 0x57F3BF04       9064 F4E1 D754 C2FF 1619  305B C09C 5A3B 57F3 BF04
      whom do you want to sponsor today?   http://www.stackless.com/




More information about the Pypy-dev mailing list