[LUNI] problems running up2date from ssh connection
scott thomason
scott at thomasons.org
Fri Mar 22 16:27:01 CST 2002
On Mar 21 05:01 PM, Martin Maney wrote:
> I've seen it argued both ways, and I can't see that either position has any
> killer arguments. The X permissions nuisance and the recently publicized
> "password keystroke counting & timing" issue both push towards using "ssh
> root at ...".
IIRC, someone on slashdot looked into the source code involving aforementioned
"password keystroke counting & timing" issue, and I believe the concensus was
it didn't matter one bit...ssh is collecting all the keystrokes, then sending
the password bundle as one packet. In the end, the vulerability was far more
theoretical than the initial press. But I suppose this only applies if you
are initiating the session from a local window/console. OTOH, if you are
initiating a new SSH session from within an existing SSH session, how are the
bad guys going to know what packets to time?
More information about the luni
mailing list