On Thu, Jul 07, 2005 at 10:57:53AM -0500, Jay Strauss wrote: > > No, SSH never passes password across the net in cleartext. They are sent to > > the remote host when using this option, which means that unless you have a > > different password for each host, a malicious remote administrator could > > capture your password and then use if to compromise your other accounts. > > Feeling a bit stupid but I still don't understand what you mean > > If I ssh from A to sveasoft - the password is encrypted > If I then ssh from sveasoft to C - the password is cleartext?
No. The ssh password is always tunneled, but it's tunnelled "cleartext". This means that a sysadmin at sveasoft could rig their sshd to capture the cleartext password to a file, and they could then use it at other sites where you use the same password. Note that before you ssh'd in, they don't have your password unencrypted: they have a password hash. -- Micah J. Cowan [EMAIL PROTECTED] _______________________________________________ vox-tech mailing list [email protected] http://lists.lugod.org/mailman/listinfo/vox-tech
