Lyor Goldstein created SSHD-948:
-----------------------------------
Summary: Do not accept password authentication if the session is
not encrypted
Key: SSHD-948
URL: https://issues.apache.org/jira/browse/SSHD-948
Project: MINA SSHD
Issue Type: Improvement
Affects Versions: 2.3.0
Reporter: Lyor Goldstein
According to RFC4252 section 8:
{quote}
Both the server and the client should check whether the underlying
transport layer provides confidentiality (i.e., if encryption is
being used). If no confidentiality is provided ("none" cipher),
password authentication SHOULD be disabled. If there is no
confidentiality or no MAC, password change SHOULD be disabled.
{quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
