Karsten M. Self wrote:
on Sun, Jul 17, 2005 at 09:43:43AM -0500, Jay Strauss ([EMAIL PROTECTED]) wrote:
Karsten M. Self wrote:
on Thu, Jul 07, 2005 at 07:43:52AM -0700, Henry House
([EMAIL PROTECTED]) wrote:
P? 2005-07-07, skrev Jay Strauss:
Hi,
I have a sveasoft box, and in order to ssh from the sveasoft to
a target box, the target box must have PasswordAuthentication
yes in the /etc/ssh/sshd_config file.
I don't understand what that config option actually does. The
config file has:
# To disable tunneled clear text passwords, change to no here!
Does this mean you can send clear text passwords to login? Does
this mean that when you build a tunnel, passwords are sent clear
text to the forwarded app?
The curious can read the SSH protocols here:
http://www.snailbook.com/protocols.html
...which I've done. I've been using SSH for years, but only understand
some parts of it vaguely.
Thanks Karsten. It's a long email it's going to take me a bit to figure
out how this impacts me
Well, the *short* version is:
- SSH (v2) *always* encrypts the channel between the two hosts
participating in a session, prior to any user content being
transmitted over that channel. In SSH v1, it was possible to
request an unencrypted channel, though default behavior was to
encyrpt unless otherwise specified.
- When using password authentication, your actual password *is*
transmitted to the remote host. If this remote host cannot be
trusted (it's been compromised, it's a man-in-the-middle), then you
_may_ find your password compromised.
- "Man in the middle" refers to a class of cryptographic attack in
which Eve (the evesdropper) situates herself between yourself
(Carol) and the host you wish to communicate with (Bob). If you
cannot discriminate between Eve and Bob, you risk disclosure to Eve.
- SSH-key authentication removes the possibility of leaking a password
to Eve, by using a PKI key exchange in the authentication portion of
session setup. This also offers additional levels of control, as
detailed in my earlier email.
So:
- Your password is always (cryptographically) safe from evesdropping
from outside the channel.
- SSH-key auth removes a few vulnerabilities of password auth,
introduces additional control points, and enables a number of
convenience features (e.g.: ssh-agent).
Mini-shrunk-sort version: Use SSH-key auth with a passphrase and
ssh-agent.
Peace.
thanks. How do you NOT send the password? Does Carol and Bob
convert/encrypt their local password for this user, then compare the
encryptions (maybe its call a hash in this context)?
Thanks
Jay
_______________________________________________
vox-tech mailing list
[email protected]
http://lists.lugod.org/mailman/listinfo/vox-tech
