Results 1 to 12 of 12
  1. #1
    Join Date
    Oct 2000
    Posts
    1,769

    Exclamation SSH Vulnerability

    http://www.theregister.co.uk/content/55/20594.html

    Wow... That's not good for most of us here...

    Some of the systems that include default two-character passwords (and thus might be vulnerable if the affected software is used) are Red Hat Linux 6.1 through 7.1, Solaris 2.6 through 2.8, HP-UX 10.20, HP-UX 11.00, Caldera Linux 2.4, and SuSE Linux 6.4 through 7.0. Solaris systems are particularly vulnerable to the exploit, which would be trivial for hackers to pull off on Sun servers running the affected software.
    [QuickPacket™] [AS46261]
    Located in Ashburn, VA, Los Angeles, CA, Chicago, IL, and Manchester, UK
    Since 2003 - 20+ Years! Dedicated Servers, Co-location, DDoS Filtering, Data Backup & More!

  2. #2
    Join Date
    Jun 2001
    Posts
    623
    Figures.
    Because of weak password authentication to the SSHD2 daemon it's been discovered that accounts with password fields consisting of two or fewer characters can be compromised using any password, including an empty password.
    Seems to me as long as passwords are 3+ characters, it should be ok then, right?

  3. #3
    Join Date
    Mar 2001
    Location
    Canada
    Posts
    489
    woohoo
    Systems using OpenSSH are not affected by the issue.

    thank god

  4. #4
    Join Date
    Sep 2000
    Posts
    514
    Why in the world would anyone make a password that short anyway. You might as well not even have one if thats the case.

  5. #5
    Join Date
    Jun 2001
    Posts
    623
    Why in the world would anyone make a password that short anyway. You might as well not even have one if thats the case.
    hehe
    Most people are going to make their password whatever their dog's name is...so if their dog is named 'bob', then that's the password, no matter what.

  6. #6
    Join Date
    Apr 2001
    Location
    Boca Raton, FL
    Posts
    657
    Originally posted by JeremyL
    Why in the world would anyone make a password that short anyway. You might as well not even have one if thats the case.
    You mean one letter passwords are... bad?


  7. #7
    Join Date
    Sep 2000
    Posts
    514
    Originally posted by Planet Z


    You mean one letter passwords are... bad?

    Oops, did I give away the secret?

  8. #8
    Join Date
    May 2001
    Location
    California
    Posts
    801
    OpenSSH is better anyways ...
    Roy K.
    Pixie Internet Services - http://www.pixiehost.com
    Affordable, reliable hosting solution with Instant Activation

  9. #9
    Join Date
    Apr 2001
    Location
    UK - Wales
    Posts
    2,170
    i was actually wondering if this vuln was "TWO Char Passwords" OR "Passwords CONTAINING ONLY TWO Chars"

    e.g:

    lets say my password is : "ab" (without quotes) i presume thats vulnerable

    OR

    Is it passwords as follows: "abababababab" (without quotes)

    or is it something completely different? i mean my password is like over 13 characters, I presume it is in no way vulnerable.

    but anybody using only two chars in a password in just looking for trouble.

    can anybody clarify the situation?
    www.microsolder.uk - Microsoldering Services in the UK

  10. #10
    Join Date
    Apr 2000
    Location
    California
    Posts
    3,051
    Originally posted by xtstrike
    i was actually wondering if this vuln was "TWO Char Passwords" OR "Passwords CONTAINING ONLY TWO Chars"

    e.g:

    lets say my password is : "ab" (without quotes) i presume thats vulnerable

    OR

    Is it passwords as follows: "abababababab" (without quotes)

    or is it something completely different? i mean my password is like over 13 characters, I presume it is in no way vulnerable.

    but anybody using only two chars in a password in just looking for trouble.

    can anybody clarify the situation?
    "it's been discovered that accounts with password fields consisting of two or fewer characters can be compromised using any password, including an empty password."

    Any moron that used two or fewer characters for a password, deserves what happens. Besides the point, you could use a brute force password cracker over the Internet, and we're only talking a max of about 2 minutes to gain access to any account that uses a 2 character password anyway -- so why bother to worry about an exploit? That's ridiculous. Also, I don't see or know of too many people that are paying to use SSH 3, when OpenSSH is free and works well.

  11. #11
    Join Date
    Jul 2001
    Location
    /dev/null
    Posts
    1,219

  12. #12
    Join Date
    Dec 2000
    Posts
    119
    Originally posted by node9
    Systems using OpenSSH are not affected by the issue.
    phew! *pantpantwipesweat*

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •