Re: Proposal: have client CVS send remote username to server CVS

[Noel L Yap]

[EMAIL PROTECTED] on 2000.07.18 14:05:01
>> How can an SSH server know that the SSH client hasn't been compromised >and
is
>> sending a spoofed username?
>
>By requiring the client to send a password known to the server or to >encrypt
its
>connection/keys/whatever it is using the proper private key (in other >words, a
>private key with a corresponding & appropriate public key already known to >the
>server).

No, this doesn't guarantee it.  For example, if the OpenSSH client sent this
info over the server, I can build OpenSSH in such a way that it will always send
the wrong info over.  I'll still have proper keys and everything, but the
username info will have been spoofed.

Noel



This communication is for informational purposes only.  It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan & Co. Incorporated, its
subsidiaries and affiliates.