Another reason not to use sudo?
Daniel Stone
daniel at fooishbar.org
Mon Nov 22 13:55:28 UTC 2004
On Mon, 2004-11-22 at 13:41 +0000, Ben Edwards wrote:
> On Mon, 22 Nov 2004 08:33:08 -0500, Brett Carrington <brettcar at gmail.com> wrote:
> > > If you ssh into a box the password of the initial account you log in
> > > is _not_ encrypted so you would normally log in as a lesser user and
> > > su when you are in (this I knew but many people do not).
> > This is false. Here is a quote from the ssh manpage:
> >
> > If other authentication methods fail, ssh prompts the user for a pass-
> > word. The password is sent to the remote host for checking; however,
> > since all communications are encrypted, the password cannot be seen by
> > someone listening on the network.
>
> So ssh NEVER sends any unencrypted dater (apart from maybe the host
> and username you are connecting to.
>
> Interesting - was original password not being encrypted an issue in
> older versions of ssh?
You could sort of man-in-the-middle SSH1's passwords if you tried really
hard and it was the fourth Friday of the month and your doctor's last
name started with Q, or something. But not with SSH2.
More information about the ubuntu-users
mailing list