> > A relatively simple default password check. > > OK. Something like "check that root password is not > root"? Correct :) . > > Right, but is there some way to tie ssh into NASL > so > > that ssh is initiating the connection? > > There is no way to call an external program. I plan > to implement this > into "trusted scripts". However, SSH is a complex > program and could be > vulnerable to "reverse exploits". So this is > dangerous. What do you think about including an option that indicates "This SSH check could be vulnerable to reverse exploits. Use can lead to system compromise."? > Maybe I should a couple of "jail" arguments to the > pread() function, > like "chroot", or "uid" and "gid". > However, pread is not enough for your problem: we > need to tie a > process to a Nessus connection. > > >> Apart from implementing the SSH protocol in NASL, > >> no. > > > Is that possible? > > Yes. The good question is; is this easy? > http://www.ietf.org/html.charters/secsh-charter.html I was afraid of that... > You'll probably need a couple of helper C functions, > as implementing > some cryptographic algorithm in NASL would be a pain > in the back. > > I have much work currently. If you can wait until > Easter, I may have > more time to finish the implementation of "trusted > scripts". > (I also have to split find_service into small parts, > so I do not > garantee that I'll have time) I can certainly wait :) ... Thanks! __________________________________ Do you Yahoo!? Yahoo! Small Business $15K Web Design Giveaway http://promotions.yahoo.com/design_giveaway/ _______________________________________________ Plugins-writers mailing list Plugins-writers@private http://mail.nessus.org/mailman/listinfo/plugins-writers
This archive was generated by hypermail 2b30 : Wed Apr 07 2004 - 03:12:51 PDT