5 Jan
2010
5 Jan
'10
2:49 p.m.
On 1/5/2010 7:31 AM, Kai Schaetzl wrote:
For what do you need the hash? You don't supply the hash for logging in.
In the case of SSH login, you are correct that the hash is not used to login. But the attacker may find a way to read the hash out of the /etc/shadow file, or the same password is used in other places and also stored with a md5 hash.
A lot of things would have to go wrong for a remote attacker to get access to /etc/shadow - but it's been known to happen.
(Personally, I always move the SSH port to something other then 22 and we only allow authentication via public keys over the external port.)