|
![](/i/fill.gif) |
Le 15/09/2011 20:46, Orchid XP v8 nous fit lire :
>>>> It doesn't say anything about CHAP. I'm pretty sure it also doesn't
>>>> change the password encryption method from AES to Triple-DES as well.
>>>> It's not likely to document everything it *doesn't* do, just what it
>>>> *does* do.
>>>
>>> So even with this line, people can *still* authenticate by password.
>>
>> Not to the best of my knowledge.
>
> I'm fairly sure I tested it, and discovered that I needed to turn off
> multiple things to stop it accepting my password as a valid login. But
> since that was then and this is now, I guess I might be incorrect.
>
Did you at least refresh (aka reload) sshd when updating the configuration ?
Updating the configuration is not enough, the daemon must be flushed to
reload it.
SSH password authentication is just delegating the password to the OS
system... (bad! IMNSHO)
>>>>> I thought the host key is how the server identifies itself to you, not
>>>>> how you identify yourself to the server?
>>>>
>>>> Host keys aren't very commonly used AFAIK.
>>>
>>> All three of the SFTP systems we use commercially have them.
>>
>> A sample size of 3 isn't exactly data supporting "commonly used".
>
> It's infinity times larger than a sample size of zero. ;-)
Host key are kind of mandatory for server. Unless you want to use ssh
without encryption at all.
>
> Then again, one of these systems is set up to use PK authentication, and
> the server administrators emailled /us/ with the private key to use to
> get access. *facepalm*
>
> Imagine it: Going to all the trouble of setting up a secure system, and
> not even knowing how to secure it properly...
>
That's the issue with wrong administrators: they assume people do not
have their own public key, and generate a pair for them... they need a
clue (and some users too!).
From my bad memory, there is at least 5 kinds of attacks that must be
covered. If you cannot understand them all, you're out of the trusted.
Post a reply to this message
|
![](/i/fill.gif) |