Re: HEAD's UP: possible 0day SSH exploit in the wild
Peter Jordan <firstname.lastname@example.org> writes:
> Russ Allbery, Fri Jul 10 2009 00:56:57 GMT+0200 (CEST):
>> Not without applying custom patches that are rather a hack. You can,
>> however, do PKINIT, which lets you use smart cards that can do X.509
>> authentication (some of which are quite inexpensive these days).
>> We're evaluating the DESfire cards for our purposes.
> hmmm, that does not solve the problem, when i have to login from a
> insecure computer (ie Internet cafe) . I know, you have not connect to
> your network from insecure computers, but sometimes you have not the
Yeah, you're right -- that's a very hard one. Even ssh public key isn't
horribly attractive in that situation. You're basically betting that
whoever has hacked that cafe system has only installed a keyboard logger
and hasn't bothered to do something that would let them grab your ssh
private key as well.
But yes, you don't want to get Kerberos tickets on an insecure system.
As portable systems (handhelds, laptops, etc.) and ubiquitous wireless
becomes more common, hopefully there will be less need to use computers
that you don't physically control.
Russ Allbery (email@example.com) <http://www.eyrie.org/~eagle/>