[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] I was hacked!

I did miss one small detail. Bad person cannot change user password on
compromised machine without knowing existing password.


On Mon, Nov 04, 2019 at 05:18:10PM -0500, Jim Kinney wrote:
>    Bad person gets user access. Then uses ssh key to access another system
>    the compromised user has sudo on. Bad person doesn't have sudo access
>    unless they have compromised user's password or sysadmin gave out no
>    password sudo.
>    On November 4, 2019 4:57:28 PM EST, Byron Jeff via Ale <ale at ale.org>
>    wrote:
> I thought the same in the first minute, but realized that it doesn't add
> any operational security. If machine A, user B is compromised (B at A) and
> B's key's are used to login to B at C using keys, and B has sudo access, then it's
> trivial for the hacker to login to B at C, change B's password on C, then use
> it to gain root access on C.
> I almost start to wonder if passwordless keys really improve security.
> On Mon, Nov 04, 2019 at 04:10:41PM -0500, dj-pfulio via Ale wrote:
>      directly. Perhaps 2006? First thing I do on any new machine is add
>      an
>      account with sudo rights.
>      I don't see the operational difference between ssh'ing into root
>      (using a
>      key) and ssh'ing into another account using a key and then sudo'ing
>      to
>      root. You're still getting into the machine via a key?
>      2 authentication levels seems to be better than 1, but everyone has
>      different requirements.
>        _______________________________________________________________
>      Ale mailing list
>      Ale at ale.org
>      [1]https://mail.ale.org/mailman/listinfo/ale
>      See JOBS, ANNOUNCE and SCHOOLS lists at
>      [2]http://mail.ale.org/mailman/listinfo
>    --
>    Sent from my Android device with K-9 Mail. All tyopes are thumb related
>    and reflect authenticity.
> References
>    1. https://mail.ale.org/mailman/listinfo/ale
>    2. http://mail.ale.org/mailman/listinfo

Byron A. Jeff
Associate Professor: Department of Computer Science and Information Technology
College of Information and Mathematical Sciences
Clayton State University