Results 1 to 12 of 12
Thread: SSH Vulnerability
-
07-24-2001, 04:49 PM #1Web Hosting Master
- Join Date
- Oct 2000
- Posts
- 1,769
SSH Vulnerability
http://www.theregister.co.uk/content/55/20594.html
Wow... That's not good for most of us here...
Some of the systems that include default two-character passwords (and thus might be vulnerable if the affected software is used) are Red Hat Linux 6.1 through 7.1, Solaris 2.6 through 2.8, HP-UX 10.20, HP-UX 11.00, Caldera Linux 2.4, and SuSE Linux 6.4 through 7.0. Solaris systems are particularly vulnerable to the exploit, which would be trivial for hackers to pull off on Sun servers running the affected software.[QuickPacket™] [AS46261]
Located in Ashburn, VA, Los Angeles, CA, Chicago, IL, and Manchester, UK
Since 2003 - 20+ Years! Dedicated Servers, Co-location, DDoS Filtering, Data Backup & More!
-
07-24-2001, 04:53 PM #2CannaBusiness Marketing Ninja
- Join Date
- Jun 2001
- Posts
- 623
Figures.
Because of weak password authentication to the SSHD2 daemon it's been discovered that accounts with password fields consisting of two or fewer characters can be compromised using any password, including an empty password.
-
07-24-2001, 04:57 PM #3Disabled
- Join Date
- Mar 2001
- Location
- Canada
- Posts
- 489
woohoo
Systems using OpenSSH are not affected by the issue.
thank god
-
07-24-2001, 05:17 PM #4Web Hosting Evangelist
- Join Date
- Sep 2000
- Posts
- 514
Why in the world would anyone make a password that short anyway. You might as well not even have one if thats the case.
-
07-24-2001, 05:21 PM #5CannaBusiness Marketing Ninja
- Join Date
- Jun 2001
- Posts
- 623
Why in the world would anyone make a password that short anyway. You might as well not even have one if thats the case.
Most people are going to make their password whatever their dog's name is...so if their dog is named 'bob', then that's the password, no matter what.
-
07-24-2001, 05:24 PM #6Web Hosting Master
- Join Date
- Apr 2001
- Location
- Boca Raton, FL
- Posts
- 657
Originally posted by JeremyL
Why in the world would anyone make a password that short anyway. You might as well not even have one if thats the case.
-
07-24-2001, 05:32 PM #7Web Hosting Evangelist
- Join Date
- Sep 2000
- Posts
- 514
Originally posted by Planet Z
You mean one letter passwords are... bad?
-
07-24-2001, 06:49 PM #8Web Hosting Master
- Join Date
- May 2001
- Location
- California
- Posts
- 801
OpenSSH is better anyways ...
Roy K.
Pixie Internet Services - http://www.pixiehost.com
Affordable, reliable hosting solution with Instant Activation
-
07-25-2001, 03:52 AM #9Web Hosting Master
- Join Date
- Apr 2001
- Location
- UK - Wales
- Posts
- 2,170
i was actually wondering if this vuln was "TWO Char Passwords" OR "Passwords CONTAINING ONLY TWO Chars"
e.g:
lets say my password is : "ab" (without quotes) i presume thats vulnerable
OR
Is it passwords as follows: "abababababab" (without quotes)
or is it something completely different? i mean my password is like over 13 characters, I presume it is in no way vulnerable.
but anybody using only two chars in a password in just looking for trouble.
can anybody clarify the situation?www.microsolder.uk - Microsoldering Services in the UK™
-
07-25-2001, 06:55 PM #10Web Hosting Master
- Join Date
- Apr 2000
- Location
- California
- Posts
- 3,051
Originally posted by xtstrike
i was actually wondering if this vuln was "TWO Char Passwords" OR "Passwords CONTAINING ONLY TWO Chars"
e.g:
lets say my password is : "ab" (without quotes) i presume thats vulnerable
OR
Is it passwords as follows: "abababababab" (without quotes)
or is it something completely different? i mean my password is like over 13 characters, I presume it is in no way vulnerable.
but anybody using only two chars in a password in just looking for trouble.
can anybody clarify the situation?
Any moron that used two or fewer characters for a password, deserves what happens. Besides the point, you could use a brute force password cracker over the Internet, and we're only talking a max of about 2 minutes to gain access to any account that uses a 2 character password anyway -- so why bother to worry about an exploit? That's ridiculous. Also, I don't see or know of too many people that are paying to use SSH 3, when OpenSSH is free and works well.
-
07-26-2001, 01:05 PM #11Web Hosting Master
- Join Date
- Jul 2001
- Location
- /dev/null
- Posts
- 1,219
Here's another article:
http://www.zdnet.com/zdnn/stories/ne...094560,00.html
-
07-29-2001, 12:58 AM #12WHT Addict
- Join Date
- Dec 2000
- Posts
- 119
Originally posted by node9
Systems using OpenSSH are not affected by the issue.