SSL shows all usernames on host

SSL shows all usernames on host

Posted by: Kernos
Posted on: 2005-01-16 10:06:00

I am new to SSL and have been using Rbrowser (OS X) to replace FTP with SSL for access to my servers.

When I do not specify a path, I see not only the root directory of the server, but all the user directories in the home folder all with permissions root-staff 777, except for me which as me-pg????? and 755.

Is this normal? I don't really like my username to be seen by everyone. Could not one get into my space using brute force methods?

Bill

Re: SSL shows all usernames on host

Posted by: snokarver
Posted on: 2005-01-16 14:44:00

That's not good. Yes, someone could more easily get in via brute force, so make sure you set a good password - at least alpha numeric and eight characters. I also use ASCII characters.

Re: SSL shows all usernames on host

Posted by: kchrist
Posted on: 2005-01-18 07:07:00

By "brute force", I assume you mean a dictionary-style attack.

While knowing your username is half the battle, it's by far the easier half. The hard part would be guessing your password (assuming it's reasonably difficult to guess). Thousands of failed logins for any given account is bound to raise some flags at DH, at which point the auth logs would clearly show someone trying to guess passwords. They'd have plenty of time to disallow access to the offending party.

In other words, it's really nothing to worry about.

Re: SSL shows all usernames on host

Posted by: lrosenstein
Posted on: 2005-01-18 11:31:00

A minor point...I think you mean to say "SSH" not "SSL".

I wouldn't worry too much about this. There are other ways that your user name can be discovered (eg, in email). That said, DH might be fixing this, because I find that I can't list other user names when I use SSH. You can mention this to Support and see what they say.

A brute force attack would involve trying different passwords in the hopes of finding the right one. You can defeat this by choosing a password that it unlikely to be guessed. (You can even have the DH admin panel generate a password at random.)

You can couple this with public key authentication to make it easy for you to log in from your Mac (and only your Mac) without having to memorize the obscure password. Here's one set of instructions to get you started:

<http://stocksy.is-a-geek.com/information/ssh/ssh.php>

Look for the section "Passwordless logins with SSH". In this case, your Mac would be the client, and the DH machine the server. There's also an application to help set this up <http://www.gideonsoftworks.com/sshhelper.html>, but I haven't used it myself.

Tags: my spacesslroot directoryusernamesdirectoriesftppathserversaccess