VPN question (ssh)
James Knott
james.knott-bJEeYj9oJeDQT0dZR+AlfA at public.gmane.org
Sun Dec 21 13:38:00 UTC 2003
Justin Zygmont wrote:
>>On December 20, 2003 07:00 pm, Fraser Campbell wrote:
>>
>>
>>> If you care about your traffic being private at all some encryption just
>>>makes sense ... encryption can be at the app layer (ssh, https, secure
>>>imap, etc.), at the network layer (vpn) or at both the app and network
>>>layer.
>>
>>Also encryption doesn't stop people from being dumb. For example allowing
>>password based authentication with sshd leaves a rather weak link in the
>>chain (depending on users to use good passwords), IWO if you use strong
>>encryption with weak authentication you might as well not bother.
>
>
> but the password is encrypted in transfer right? maybe i'm wrong about
> this, but doesn't ssh use asymetric encryption initially, then symetric
> after the session key is established?
The problem with weak passwords, is that they're vulnerable to
dictionary or social engineering attacks. For example, if you use your
kid's name, someone who knows you, may try that first. On the other
hand, if you were to use a sequence of characters generated by md5sum,
that password would be resistant to those types of attacks.
One method to reduce the risk of weak passwords, is to allow a fixed
number of wrong passwords, before locking the account. The account can
be locked for a period of time or until reset by the admin.
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list