DHWWnet
08-20-2001, 12:13 AM
http://www.securityfocus.com/news/241
 | View Full Version : New SSH attack weakens passwords SoftWareRevue 08-20-2001, 12:22 AM Now that's some interesting reading! Thanks for the post! DHWWnet 08-20-2001, 12:28 AM Quick fix - according to them is to type the passwords as fast as you can.. ...Song says countermeasures must hide inter-keystroke timings and send dummy packets when the user is typing slowly. When the user is typing more quickly, they can combine the packets of several keystrokes so that attackers cannot read individual keystroke packets and determine the timing of the keys or how many characters are typed... SoftWareRevue 08-20-2001, 12:49 AM Originally posted by elijah Quick fix - according to them is to type the passwords as fast as you can..That's what I was reading into it. Doesn't seem a large threat. But a threat none the less. Webdude 08-20-2001, 03:36 AM well then I would say having your ssh client login automatically would solve the problem, right? Honu 08-20-2001, 04:08 AM Originally posted by Webdude well then I would say having your ssh client login automatically would solve the problem, right? Aloha I have my set to login auto style kinda OT but what progy do you use for telnet/ssh I am using Secure CRT (VanDyke) Webdude 08-20-2001, 04:14 AM That's what I use. I mean, is there anything else? Palm 08-20-2001, 04:19 AM Why not paste the password? That's the fastest it can get. davidb 08-20-2001, 04:47 AM I used securecrt during the 30 days, then I found putty. Long live putty! Planet Z 08-20-2001, 07:11 AM I don't like putty. I personally have used F-Secure for like 4 years. Mike the newbie 08-20-2001, 07:30 AM Originally posted by elijah http://www.securityfocus.com/news/241 A key point (no pun intended ;)) of their crack appears to be the statement, An eavesdropper can therefore learn the precise inter-stroke timing of users' typing based on the arrival time of the packets. That assumes that the cracker is on the same network segment as the person who is typing the password, otherwise network latencies would vary the inter-packet timing of the packets' arrivals. So far as I know, there is no one else on my network in my house here. So I'll continue to use ssh knowing my security is OK. I suspect that future versions of ssh will alleviate this problem. The other ssh breach, described further down the article, is why I've changed my sshd_config to only accept protocol version 2. ssh protocol version 1 had a security hole. |