Re: HEAD's UP: possible 0day SSH exploit in the wild

To: debian-security@lists.debian.org
Subject: Re: HEAD's UP: possible 0day SSH exploit in the wild
From: "Sebastian Posner" <sposner@gmx.de>
Date: Thu, 09 Jul 2009 00:58:03 +0200
Message-id: <[🔎] 20090708225803.322190@gmx.net>
In-reply-to: <[🔎] 12aada82-6c08-11de-9b6a-001cc0cda50c@msgid.mathom.us>
References: <[🔎] 4A53B1CF.509@abi007.info> <[🔎] f9971d420907071415m306cb47bhad3619ee288b20e4@mail.gmail.com> <[🔎] a701f7720907071420q43aaf21er63e3d405a184c1fa@mail.gmail.com> <[🔎] f9971d420907080736w4c2d31bbh441825661979d2b6@mail.gmail.com> <[🔎] 20090708143825.GF2565@gamma.logic.tuwien.ac.at> <[🔎] f9971d420907080811ob5aa5a2i68f611f65aaf8b1f@mail.gmail.com> <[🔎] 5344ee8d0907080814x1a155b54n8298267c13b5b86d@mail.gmail.com> <[🔎] 235a4bf70907080933i33b77b67t4f72e489313e26a1@mail.gmail.com> <[🔎] f971bab40907080937v33884e78nce8291d34140f3de@mail.gmail.com> <[🔎] 20090708211843.322170@gmx.net> <[🔎] 12aada82-6c08-11de-9b6a-001cc0cda50c@msgid.mathom.us>

Michael Stone wrote:

[A way to enforce non-empty passwd on ssh-keys]

> You can't, which is why it is useful to have both passwords and keys 
> simultaneously--you can enforce a policy on a password.

To cite Noah Meyerhans from his recent mail - my users would shoot me if I ever tried such a thing.
Sadly, I'm not their bossbut they are more or less my customers, so putting a security policy in place requiring the previously stated mechanism would be more like starting a war than a small skirmish.

Sebastian
-- 
baboo
-- 
Neu: GMX Doppel-FLAT mit Internet-Flatrate + Telefon-Flatrate
für nur 19,99 Euro/mtl.!* http://portal.gmx.net/de/go/dsl02

Reply to:

References:
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Justus <justus@abi007.info>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Leandro Minatel <leandrominatel@gmail.com>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Jeroen van Drongelen <jeroen@naturewebdesign.eu>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Leandro Minatel <leandrominatel@gmail.com>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Norbert Preining <preining@logic.at>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Leandro Minatel <leandrominatel@gmail.com>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Rafael Moraes <rafael@bsd.com.br>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Roger Bumgarner <roger.bumgarner@gmail.com>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Jim Popovitch <jimpop@gmail.com>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: "Sebastian Posner" <sposner@gmx.de>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Michael Stone <mstone@debian.org>

Prev by Date: Re: HEAD's UP: possible 0day SSH exploit in the wild
Next by Date: bastille in lenny
Previous by thread: Re: HEAD's UP: possible 0day SSH exploit in the wild
Next by thread: Re: HEAD's UP: possible 0day SSH exploit in the wild
Index(es):
- Date
- Thread