05.27.06
Don’t blindly trust SSH
I saw an article at Slashdot quoting this article about how SSH is not that secure you might think.
Quote:
“In UNIX, all things are files. To send network traffic, UNIX writes the traffic to the network device file. In this case, the connection to Box A (and that private key used for authentication) is a socket file. This file will shuttle the authentication traffic between Box A and Box P. So what’s the risk? Maybe the hacker can’t get a copy of the private key through the socket file, but something better (from his/her view) can be done. If the hacker has root on Box D, he or she can point a private copy of the agent forwarding software to that socket file and thereby point the authentication process to the administrator’s credentials–the ones kept on the ’safe’ intranet. What are the chances that the administrator has configured access to all the DMZ servers he controls?”