-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>> "Richard" == Richard <[EMAIL PROTECTED]> writes:
[...] Richard> There also an analasis of the ssh packetstream revealing the Richard> number of chars in the passwd. Small clarification: this may reveal the number of characters in any password that you type _within_ the ssh session. This does not affect the password that you use to initially log in, as the whole password is sent in one packet. Of course, the attacker would need to know that you are typing in a password at that time. Richard> Attacks can still be done when the fingerprint is unkown Richard> (e.g. first connect to the box) Yes, and to answer the OP's second question (how to make ssh secure), copy the server's public key over a known secure channel (e.g. if you're at work, get the admin to stick it on a floppy for you), or get the fingerprint over a known secure channel (e.g. phone the admin and ask for the fingerprint). Richard> or brute-force on fingerprint / rsa / dsa. And if you manage to brute-force the fingerprint/rsa/dsa, we've got problems. - -- Hubert Chan <[EMAIL PROTECTED]> - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/651854DF71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7jC/YZRhU33H9o38RAn3cAJ0eJvBKQTNOF0qgZMClw3m1ATXIyQCgn/tK Kc1P/7a20XqC6x8ntygGl8M= =unD0 -----END PGP SIGNATURE-----
