- Home
- Server Administration
- LPIC-1 Linux Administrator 102
96.
You find that the ssh_host_dsa_key file in /etc/ssh has 0666 (-rw-rw-rw-) permissions.
Your SSH server has been in operation for several months. Should you be concerned?
- A.Yes
- B.No
- C.Only if the ssh_host_dsa_key.pub file is also world-readable
- D.Only if you’re launching SSH from a super server
- E.Only if you’re using a laptop computer
- Answer & Explanation
- Report
Answer : [A]
Explanation :
Explanation :
The ssh_host_dsa_key file holds one of three critical private keys for SSH. The fact that this key is readable (and writeable!) to the entire world is disturbing, so option A is correct. In principle, a miscreant who has acquired this file might be able to redirect traffic and masquerade as your system, duping users into delivering passwords and other sensitive data. Because of this, option B (No) is an incorrect response, and the conditions imposed by options C, D, and E are all irrelevant, making all of these options incorrect. |
97.
For best SSH server security, how should you set the Protocol option in /etc/ssh/sshd_
config?
- A.Protocol 1
- B.Protocol 2
- C.Protocol 1,2
- D.Protocol 2,1
- E.Protocol *
- Answer & Explanation
- Report
Answer : [B]
Explanation :
Explanation :
SSH protocol level 2 is more secure than protocol level 1; thus, option B (specifying acceptance of level 2 only) is the safest approach. Option A is the least safe approach because it precludes the use of the safer level 2. Options C and D are exactly equivalent in practice; both support both protocol levels. Option E is invalid. |
98.
Why is it unwise to allow root to log on directly using SSH?
- A.Disallowing direct root access means that the SSH server may be run by a non-root user, improving security.
- B.The root password should never be sent over a network connection; allowing root logins in this way is inviting disaster.
- C.SSH stores all login information, including passwords, in a publicly readable file.
- D.When logged on using SSH, root’s commands can be easily intercepted and duplicated by undesirable elements.
- E.Somebody with the root password but no other password can then break into the computer.
- Answer & Explanation
- Report
Answer : [E]
Explanation :
Explanation :
Allowing only normal users to log in via SSH effectively requires two passwords for any remote root maintenance, improving security, so option E is correct. Whether or not you permit root logins, the SSH server must normally run as root, since SSH uses port 22, a privileged port. Thus, option A is incorrect. SSH encrypts all connections, so it’s unlikely that the password, or commands issued during an SSH session, will be intercepted, so option B isn’t a major concern. (Nonetheless, some administrators prefer not to take even this small risk.) SSH doesn’t store passwords in a file, so option C is incorrect. Because SSH employs encryption, option D is incorrect (this option better describes Telnet than SSH). |
99.
You’ve downloaded a GPG public key from a Web site, into the file fredkey.pub. What
must you do with this key to use it?
- A.Type inspect-gpg fredkey.pub.
- B.Type gpg --readkey fredkey.pub.
- C.Type import-gpg fredkey.pub.
- D.Type gpg --import fredkey.pub.
- E.Type gpg-import fredkey.pub.
- Answer & Explanation
- Report
Answer : [D]
Explanation :
Explanation :
Option D provides the correct command to import fredkey.pub prior to use. The inspect-gpg, import-gpg, and gpg-import commands of options A, C, and E are fictitious; and there is no --readkey option to gpg, as option B suggests. |
100.
You want to send an encrypted message to an email correspondent. You both have GPG.
What do you need to exchange before you can send your encrypted message?
- A.Your correspondent must obtain your GPG public key.
- B.Your correspondent must obtain your GPG private key.
- C.You must exchange private keys with your correspondent.
- D.You must obtain your correspondent’s GPG private key.
- E.You must obtain your correspondent’s GPG public key.
- Answer & Explanation
- Report
Answer : [E]
Explanation :
Explanation :
The usual method of sending encrypted messages with GPG entails the sender using the recipient’s public key to encrypt the message. Thus, option E is correct. Option A would be correct if your correspondent needed to send you an encrypted message, but the question only specifies your sending the encrypted message. Options B, C, and D all entail delivery of private keys, which is inadvisable at best, because private keys in the wrong hands permit the holder to impersonate the person who owns the keys. |