On Wed, May 14, 2008 at 05:30:18PM -0700, Ben Calvert wrote: > On May 14, 2008, at 5:22 PM, Darrin Chandler wrote: > > >On Thu, May 15, 2008 at 01:45:51AM +0200, raven wrote: > >> > >>A decent analysis can be found here... just to understand what can > >>do a > >>comment /* */ :) > >>http://blog.drinsama.de/erich/en/linux/2008051401-consequences-of-sslssh-weakness.html > > > >Are you sure that's a decent analysis? If you have a non-debian system > >with the full number of keys available, what are the chances that > >you've > >landed on one of the 32767 keys? Not very likely. So that analysis > >seems > >alarmist and sensational to me.
Your users may very well have keys generated on debian based systems. I don't know about you, but I don't want just anyone getting a luser account on my systems. > and it only applies if you're using keys _without_passphrase_. on > your root account. Umm, no? What does the passphrase have to do with this... > do people actually allow remote root access ? for more than 5 minutes > after install? Too many people still use SSH public keys for root in automated scripts. Besides, cracking your normal user account can result in just as bad consequences as cracking the root account, especially if you su or sudo to root...
