An article and script describing how to snoop on an
SSH session and
username and password... this would be one of a number of
reasons why the WLUG server only allows key-based authentication. ;)
Hmm - it seems that once again it is proved that security only keeps
honest people out!
Not at all; this article shows how far SSH raises the bar. It's only
possible to recover passwords this way if you already have root access on
the box being SSHed into, as opposed to telnet where anyone along the path
can trivially capture packets. And if you're using key-based authentication
(as hoiho does) the only thing sent to the server is a one-time random
challenge which cannot be reused for any subsequent login.
It's impressive that SSH can provide security to the point that even the
admins of the box you're connecting to (or a malicious attacker who's gained
root access) can only authenticate you, but don't get given enough
information to impersonate you on other servers where you're using the same
This email is for the intended recipient only. If you are not the intended
recipient you must burn your computer, while standing on one foot and
chanting the entire jabberwocky.
The opinions expressed here are not necessarily the opinions of the person
who expressed them.