Is SSH safer or more vulnerable with password auth?
I've been having a fight with the university IT people about SSH being unsafe because of the possibility of a brute-force password attack. Of course (as I explain to them) there are myriad ways to thwart this, some of which I had already taken before the fight began (only allow a short time to connect successfully, for example). (Although, I haven't been able to figure out if SSH can simply decide to refuse a connection after a certain number of failed passwords, but that's another issue..). On the other hand, I have seen a few sites in my SSH googling that hint that the RSA key authentication is less secure than password authentication.
So, my question I would like to submit for discussion is this: Is a passwordless RSA key authentication more or less secure than password authentication, and why? Or, if you would rather, under what circumstances are each method more vulnerable?
I think it really depends on the attack vector you are looking at.
Assuming mutually exclusive for the sake of this discussion (either key-based auth with password login disabled, or password login and key based auth disabled). A password-less ssh key is likely more vulnerable to an endpoint exploit -- as if an attacker has your sshkey without a password, he has access. Password-over-ssh is likely more vulnerable to a server-side exploit -- opens the password-guess vector, and if you aren't paying attention to the 'fingerprint doesn't match' message and someone hijacks your dns, you could attempt to login to a compromised system, thus giving away your password. Key-based auth would fail if they did not have your public key on the compromised server (you would still see the fingerprint difference message though).
You can do things to increase the security of the above vectors, from using a passphrase on your ssh-key and using ssh-agent (so you only have to auth once per session and it simply 'unlocks' your key, and doesn't leave it laying around open)..to using something like knockd or fail2ban on the server side.
Personally, I use a passphrase protected ssh key (along with ssh-agent), and disable interactive (password) authentication on my boxes anytime they are exposed to a public network (along with adding root to the denyusers ssh list).
Last edited by cactus (2009-07-08 01:52:11)
Similar Messages
-
I have Norton Internet Security.
When I downloaded the new FF4 they said that a part of Norton wasn't compatible - and it seems that that part must have been my Identity Safe which holds all my password info & fills in all of my passwords for me.
You say this new version of FF automatically prompts me to have it save this info for me, but I sure didn't see that prompt and now every time I visit my online banking (and credit card site, etc, etc,) I have had to type in all this info myself.
This certainly is not convenient!
It's bad enough I just get used to one system and you all go & reinvent the wheel -BANG!
Hasn't anyone ever heard of baby steps?Hmmm, Norton extensions are broken again in Firefox 4.0.1. It seems that Norton didn't allow for Firefox 4.0 security updates when they updated their Firefox extension for Firefox 4.0. Norton says they'll have a fix in two weeks. A Norton user posted a fix in this forum thread.
http://community.norton.com/t5/Norton-Internet-Security-Norton/Norton-Toolbar-not-compatible-with-FF-4-0-1/td-p/442788 -
Vulnerability with ssh in OpenSSH in an RHEL installation
There was a security analysis run on one server which has RHEL 5.8 installed and it is showing security vulnerabilities with respect to ssh in OpenSSH with reference no CVE-2007-4752. The vulnerability solution in the security report is showing solution as below:
Download and apply the upgrade from: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH
I went to this site but it is showing lots of files on this site and it is not clear which patch/file to execute.
I hope my query is clear as to how to take care of this vulnerability with ssh in OpenSSH in an RHEL installation.
Please revert with the reply to my query.
Regards975148 wrote:
Request people in this forum to please revert.
Regards
You posted that second comment a mere three hours after starting this thread.
Your urgency is irrelevant. This is a Community discussion forum. People are NOT just sitting around waiting for you to ask questions. At all times, half the globe is asleep when you post.
Next,
You once again posted your question to other online discussion forums and failed to have the courtesy to mention the fact to anyone.
http://www.unix.com/red-hat/236667-vulnerability-ssh-openssh-rhel-installation.html
You've been cautioned about that habit before.
You have your answer in that other forum site.
This thread is locked. -
Sftp batch job with password?
Hi folks.
We're trying to develop scripts to automate the transfer of files from various Windows machines to a Linux server. Because the job involves moving multiple files to multiple directories, I wanted to use sftp's -B batchfile option to transfer the files instead of having to reauthenticate every time we transfer files to a different location. However, the man page says:
Batch mode. Reads commands from a file instead of standard input. Since this mode is intended for scripts, SFTP2 will not try to interact with the user, which means that only passwordless authentication methods will work.
I would love to use keys to get this done but unfortunately, the type of authentication on the server is out of our control and not likely to change (it's straight password). So, is there any way I can do this in batch mode with password authentication? I thought about using scp but, as far as I can tell, it doesn't have great support for delivering multiple local files (in different locations) to multiple remote locations. One would have to re-authenticate for every scp command, right?
Any help would be appreciated. Thanks.Thanks for the recommendation, Endperform, but after reading up on expect and autoexpect, I realized I'd rather not have usernames and passwords hard coded into the script.
After much research, I think I've found a solution. It's a little odd but the Maverick Ant library does exactly what I need it to do. It can actually read an ssh profile, perform multiple transfers without having to re-authenticate and execute multiple remote commands without having to reauthenticate. The native Ant libraries can't do this. There is no sftp Ant task and the scp and sshexec tasks are lacking to say the least.
If anyone else runs into a similar situation, I highly recommend the Maverick tool. -
Cannot login with password containing non-ascii characters
Hello,
I have web application, form based login. UTF-8 is specified "everywhere".
And it works, except for passwords.
If user register itself with password containing non-ascii characters, it is correctly written in database, but when doing either programmatic login or normal form based login, if fails.
If the password is only ascii, it works.
Username of login could be ascii or non-ascii, it doesn't matter, both works.
I'm using sun java application server 9.1.
jdbc realm.
I'm not using hashing passwords, just clean (now)
I tried configure realm Charset: UTF8 as last chance, but it doesn't work either.
The problem is only with non-ascii characters in password.
Any help very appreciated
Thanks a lothi,
I know all that, but that's not the case. My app uses preparedStatements, everything is properly configured, in all pages, utf-8 is going from user to db and back without any problems.
The only problem is with password field. As I am using form based login, with jdbc realm configured (again, nicely working when only ascii characters), I have very little chance to do something bad through the login phase.
I'm not talking about special characters, I'm talking about non-ascii characters, let's say - Chinese, arabish, Russian alphabet etc.
When user registers (my code), the fields are properly written to db. I have checked that, trust me.
But the Sun app server realm seems to have some problems with the password field.
(realm uses jdbc connection to mysql, the url contains all extra parameters to be sure about utf8. there is nothing more what can be configured...)
If I try other alphabet codes in login and ascii in password, it works. But soon, as I use other alphabet code also in password, it doesn't work anymore.
My only idea is, that I could try MD5 to create ascii only characters (I hope it works that way) on the client with javascript and then set Digest to MD5 in realm configuration. But still, it seems very strange. The clear way storage should also function? (now set Digest to 'none')
Is it a bug of Sun App Server?
thanks -
Encrypt sensitive with password and calling sub pkgs
Hi we run 2012 enterprise and r introducing a db2 connection that "allows saving password".
We run from the file system (not the catalog) and face a challenge.
The default prot level on the SUB PACKAGE that has the db2 connection (only such connection right now) prevents our prod credentials from making the connection because its a different user than the one that created the sub pkg.
Encrypt sensitive with password seems a more strategic alternative but I dont know if the param (I think its called "decrypt") on the dtexec command line that allows passing a password at run time applies to just the parent pkg or all subs also.
I dont want to delay validation. I wouldnt even mind changing the xml connection string (by entering pswd in whatever syntax is necessary) using notepad but dont know what issues that will cause.
I wouldnt mind having someone logon and "re" save the pkg using the credentials of our prod userid and choosing the default prot level instead.
I also wonder if none of the other pkgs (including master) dont have any sensitive data, can their prot level defaults be left alone?
Can the community comment?If you are having sensitive info (passwords for conn strings etc) in our packages, the best way is to change the protection level to "encrypt sensitive with password" and then provide the password.
When we schedule a job or exec the parent package, the child packages are called automatically.
Thanks, hsbal -
Am i able to transfer text msgs from phone to computer and stop other people accessing them. I have windows xp and a nokia 6230i with pc software. i know how to save word docs etc with passwords, but not sure how nokia pc suite stores the info. how do i save the info with a password . i understood that the backup facility was the way to transfer the text n photos, but this didnt give me the option of saving securly with password. it has taken me ages to delete any trace so that i can start again. many have access to this pc so i dont want others viewing my text or photos .i want to be able to save all text and photos to pc and delete them from my phone.....please help...ps not that computer literate so please keep it simple thank you
I have exactly the same problem.
I did think about writing a viewer, just to read each sms file and extract the relevant data. But because my programming skills are so weak it would take me like a month to do it.
Anyone at Nokia with more skills than me got a spare hour to write a viewer? -
About UNZIP with password, is there any non-free tool can get it done? Than
I am trying to use JAVA on our web application to unzip some ZIP file, however, those ZIP has password on it. Although I know what the password is, I can not make program unzip for me, since we all know that JAVA's bulit-in unzip engine does not support password.
My question is: If I like to pay for whatever the solution is, is there one JAVA version that support unzip with password? If not, is there any other way to solve this?
Thank you very muchHi,
Please check if this happens in [https://support.mozilla.com/en-US/kb/Safe%20Mode Safe Mode] after enabling only the PDF plugin in '''Tools''' ('''Alt''' + '''T''') > '''Add-ons''' > '''Plugins'''. You can also '''Disable''' the PDF plugin and try an alternative, for eg. [https://addons.mozilla.org/en-US/firefox/addon/pdfjs/?src=cb-dl-created pdf.js]. Please also go through the add-on reviews, ratings, help and FAQ.
[http://kb.mozillazine.org/Problematic_extensions Problematic Extensions]
[https://support.mozilla.com/en-US/kb/Troubleshooting%20extensions%20and%20themes Troubleshooting Extensions and Themes]
[http://support.mozilla.com/en-US/kb/Uninstalling+add-ons Uninstalling Add-ons]
[http://kb.mozillazine.org/Uninstalling_toolbars Uninstalling Toolbars]
[http://support.mozilla.com/en-US/kb/Cannot%20uninstall%20an%20add-on Cannot Uninstall Add-on]
[https://support.mozilla.com/en-US/kb/Troubleshooting%20plugins Troubleshooting Plugins]
[http://kb.mozillazine.org/Testing_plugins Testing Plugins] -
Troubles with passwords after upgrade
Hi, we upgraded the system from 4.6 to ECC 6. and now some of our users have the problems with passwords (login).
We suspect that more users have the same password. Is it possible that in new verision users need to have different passwords?
Thanks and BR
SasoNote: SAP ECC 6.0 password is Case Sensitive.
Regards
Vinayak -
Opening docs with password crashes adobe reader
I have Adobe reader 9 installed on my win-xp machine.It used to work fine till I installed our product that makes use of some
Bsafe libraries.Now whenever I open a doc with password it crashes adobe reader.Did anyone face a similar issue? Any workaround?Pat:
Thank you again. I saved the file to my Desktop and when I opened Adobe Reader the file opened.
This will help with much more than Adobe. I owe you.
Thanks,
Bernie. -
Password reset problem with Password sync and Waveset exception
Hi,
We are using IdM 5 SP 5 with password sync installed on ad.
Once a user tries to change password by using Ctrl-Alt-Del, password sync intercepts the requests and then invoke an IdM change user password form, but on the log we see the following exceptions. Can anyone identity what are the nature/reason for the exceptions?
[#|2005-08-17T16:22:14.914-0400|INFO|sun-appserver-ee8.1|javax.enterprise.system.stream.out|_ThreadID=24;|
WavesetException: Constructor threw an exception.
==> java.lang.reflect.InvocationTargetException:
==> Missing required argument "operator". |#]
[#|2005-08-17T16:22:14.917-0400|WARNING|sun-appserver-ee8.1|javax.enterprise.system.stream.err|_ThreadID=24;|com.waveset.util.WavesetException: Constructor threw an exception.
==> java.lang.reflect.InvocationTargetException:
==> Missing required argument "operator".
at com.waveset.util.WavesetException.checkBreakpoint(WavesetException.java:366)
at com.waveset.util.WavesetException.<init>(WavesetException.java:159)
at com.waveset.util.Reflection.throwInstantiation(Reflection.java:266)
at com.waveset.util.Reflection.instantiate(Reflection.java:350)
at com.waveset.expression.ExNew.eval(ExNew.java:144)
at com.waveset.expression.ExNode.evalToObject(ExNode.java:439)
at com.waveset.expression.ExFunction$f_list.eval(ExFunction.java:2557)
at com.waveset.expression.ExNode.evalToObject(ExNode.java:439)
at com.waveset.object.Property.getValue(Property.java:232)
at com.waveset.object.AbstractViewHandler.getFormOptions(AbstractViewHandler.java:166)
at com.waveset.view.ChangeUserPasswordViewer.refreshView(ChangeUserPasswordViewer.java:168)
at com.waveset.view.PasswordViewer.checkinView(PasswordViewer.java:258)
at com.waveset.server.ViewMaster.checkinView(ViewMaster.java:629)
at com.waveset.session.LocalSession.checkinView(LocalSession.java:660)
at com.waveset.rpc.GenericMessageHandler.doCheckin(GenericMessageHandler.java:1491)
at com.waveset.rpc.GenericMessageHandler.syncUserPassword(GenericMessageHandler.java:2639)
at sun.reflect.GeneratedMethodAccessor177.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.waveset.rpc.GenericMessageHandler.request(GenericMessageHandler.java:350)
at com.waveset.rpc.SimpleRpcHandler.doRequest(SimpleRpcHandler.java:164)
at com.waveset.rpc.SimpleRpcHandler.doRequest(SimpleRpcHandler.java:128)
at org.openspml.server.SOAPRouter.doPost(SOAPRouter.java:500)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:767)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:860)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:264)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:178)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:263)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:225)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:173)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:933)
at com.sun.enterprise.web.connector.httpservice.HttpServiceProcessor.process(HttpServiceProcessor.java:221)
at com.sun.enterprise.web.HttpServiceWebContainer.service(HttpServiceWebContainer.java:2072)
Wrapped exception:
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
at com.waveset.util.Reflection.instantiate(Reflection.java:334)
at com.waveset.expression.ExNew.eval(ExNew.java:144)
at com.waveset.expression.ExNode.evalToObject(ExNode.java:439)
at com.waveset.expression.ExFunction$f_list.eval(ExFunction.java:2557)
at com.waveset.expression.ExNode.evalToObject(ExNode.java:439)
at com.waveset.object.Property.getValue(Property.java:232)
at com.waveset.object.AbstractViewHandler.getFormOptions(AbstractViewHandler.java:166)
at com.waveset.view.ChangeUserPasswordViewer.refreshView(ChangeUserPasswordViewer.java:168)
at com.waveset.view.PasswordViewer.checkinView(PasswordViewer.java:258)
at com.waveset.server.ViewMaster.checkinView(ViewMaster.java:629)
at com.waveset.session.LocalSession.checkinView(LocalSession.java:660)
at com.waveset.rpc.GenericMessageHandler.doCheckin(GenericMessageHandler.java:1491)
at com.waveset.rpc.GenericMessageHandler.syncUserPassword(GenericMessageHandler.java:2639)
at sun.reflect.GeneratedMethodAccessor177.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.waveset.rpc.GenericMessageHandler.request(GenericMessageHandler.java:350)
at com.waveset.rpc.SimpleRpcHandler.doRequest(SimpleRpcHandler.java:164)
at com.waveset.rpc.SimpleRpcHandler.doRequest(SimpleRpcHandler.java:128)
at org.openspml.server.SOAPRouter.doPost(SOAPRouter.java:500)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:767)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:860)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:264)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:178)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:263)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:225)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:173)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:933)
at com.sun.enterprise.web.connector.httpservice.HttpServiceProcessor.process(HttpServiceProcessor.java:221)
at com.sun.enterprise.web.HttpServiceWebContainer.service(HttpServiceWebContainer.java:2072)
Caused by: java.lang.IllegalArgumentException: Missing required argument "operator".
at com.waveset.object.AttributeCondition.confirmMembers(AttributeCondition.java:436)
at com.waveset.object.AttributeCondition.<init>(AttributeCondition.java:370)
at com.waveset.object.AttributeCondition.<init>(AttributeCondition.java:408)
... 38 more
|#]
[#|2005-08-17T16:22:14.918-0400|INFO|sun-appserver-ee8.1|javax.enterprise.system.stream.out|_ThreadID=24;|
XPRESS <new> exception:|#]
[#|2005-08-17T16:22:14.918-0400|INFO|sun-appserver-ee8.1|javax.enterprise.system.stream.out|_ThreadID=24;|
com.waveset.util.WavesetException: Constructor threw an exception.
==> java.lang.reflect.InvocationTargetException:
==> Missing required argument "operator". |#]
Thanks,
DavidIf thjis is a reproducible problem log a support case with the traces and have them figure it out for you.
WilfredS -
Hello.
I use IPP Printing with Password.
When I set up IPP Printer,I must input my domain account password
The Password was recorded in printer port setting.
When I Print with IPP Printer,I do not need to input my domain password
But when I change domain password , my printer port password was not change!.
Is there a way that
after I change the domain password,
give a pop to password
change when you were IPP printing?
Or, Is there a way to enter
a password every IPP printing?
Regards.Hi,
It should have something to do with authentication setting on printer server.
To get more effective help, please redirect to Windows server forum:
http://social.technet.microsoft.com/Forums/en-US/home?forum=winserverprint&filter=alltypes&sort=lastpostdesc
Thanks!
Andy Altmann
TechNet Community Support -
More Administration with Airport Extreme?
I recently purchased an Airport Extreme and I was wondering if there was any way to be more administrative with it? I don't mind using 3rd party software.
I'd like to be able to remove others from my network without having to change the network password.
I'd like to be able to limit the time span for usage on the network for certain users. (Only able to use the network between certain times)
I'm not an expert when it comes to networking, but if any of this is possible, I'd appreciate some feedback.
Thank you!The Timed Access settings in AirPort Utility will allow you to control "who" connects to your network and "when" they can connect.
AirPort Utility >Click AirPort icon > Edit > Network tab > Enable Timed Access
For more information, click the Help menu at the top of the screen
Click AirPort Utility Help
Click Setting up a WiFi network,
Click Control when a user can access your network, and also
Click Control access to your wireless network. -
i've blocked iphone 5 with password, and now it says that is not the correct one. how can i unlock it? or restore it?
Hi there itiago,
I would recommend that you take a look at the article below for more information on forgotten passcodes in iOS.
iOS: Forgotten passcode or device disabled after entering wrong passcode
http://support.apple.com/kb/HT1212
Hope that helps,
Griff W. -
RSS Feed with Password Protected Blog
I just got done setting up a password protected blog on my .mac site w/ personal domain. I tested out the RSS Feed in NewsFire, and it worked fine (prompted for username and password), and it also works in the Mail program. I had a friend ask if it would work in her Google Reader, so I tried it out using my Google account, and it doesn't seem to want to work -- says the feed cannot be retrieved. Same thing when I tried to plug it into my Yahoo page. I set up another site with a test blog w/ no password protection, and it worked fine in the Google reader.
So I am assuming that the other readers are just not sophisticated enough to display feed from a password protected page. So my question is whether or not there's anything I can do (or advise them to do) to get around it.
TIA for any perspective.Hi, JO
I'm having the same problem with password protection on, though I hadn't tested with it off.
I don't have a solution (though I'd like to find one), but I can add more info to the problem: when I tested my website on Internet Explorer in Windows (I run windows on my iMac with Parallels), the search function did work with the password protection on.
I'd really like to know how to get the Search button to work on the Mac with password protection on.
NE
Maybe you are looking for
-
How do you zoom in a portfolio?
I can zoom documents when viewing portfolios created in Acrobat 9 pro ext'd but the zoom option is grayed out in portfolios created in Acrobat X pro, am I doing something wrong or has the feature been removed in the 'improved' version X?
-
Do we get to have our "Apple Configurator" updated for new features on iOS6?
I was wondering, if we get to have "Apple Configurator" would be updated for new features added on iOS6 devices. Does anybody have any iead about that? Eddie
-
How do I get out of a spinning wheel after a reboot from a software update?
-
IPHONE 4 UPDATING ISSUES!!
I AM STILL NOT ABLE TO UPDATE TO 4.0.1 AND MY IPHONE HAS NOW BOMBED OUT!! WONT RESTORE WONT DO ANYTHING GREAT!!! TOOK IT TO APPLE IN THE UK AND THEY WERE TOOOOOO BUSY TO LOOK AT IT AND HAD TO BOOK IT IN - THEY COULDNT SEE ME TIL WEDNESDAY!!!! WHAT A
-
MSI N460GTX Cyclone 1GD5 not being recognised
I am upgrading an older HP Pavilion pc that has onboard graphics, full list in the signature file. Installed new power supply & moved 2 PCI cards down 1 slot @ to make room around the PCI-e slot and confirmed all was responding fine before installin