[ On Wednesday, January 31, 2001 at 13:49:41 ( -0500), Ng, Kenneth (US) wrote: ]
> Subject: RE: Can SSH be used just for encrypted authentication and then le t the
>rest of the session be unencrypted ?
>
> Sometimes you want the authentications encrypted to prevent outsiders from
> getting the passwords, but the actual data itself is considered not
> sensitive. Or your using public key exchange to authenticate, but the data
> is not sensitive. Being able to turn off the encryption would be nice when
> you have to move gigabytes across a LAN inside of the allowed backup time
> window. What I've done when I needed to do this is to lower the encryption
> strength to use blowfish instead of IDEA or 3DES. I've doubled throughput
> by doing this.
Ah, but if your session authentication parameters are sensitive then the
data stream is sensitive, by definition.
If you were to run the rest of the session in a clear TCP channel then
you would risk it being hijacked, and at that point you may as well not
even have a password or any other kind of authentication because they
hijacker is going to have his way with your remote session anyway.
TCP circuit hijacking is almost kid's play these days.....
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
