l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2005 Jul 08 08:23

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] sshd_config and PasswordAuthentication
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] sshd_config and PasswordAuthentication

On Thu, Jul 07, 2005 at 03:53:46PM -0500, Jay Strauss wrote:
> Micah J. Cowan wrote:
> > On Thu, Jul 07, 2005 at 10:57:53AM -0500, Jay Strauss wrote:
> > 
> >>>No, SSH never passes password across the net in cleartext. They are sent to
> >>>the remote host when using this option, which means that unless you have a
> >>>different password for each host, a malicious remote administrator could
> >>>capture your password and then use if to compromise your other accounts.
> >>
> >>Feeling a bit stupid but I still don't understand what you mean
> >>
> >>If I ssh from A to sveasoft - the password is encrypted
> >>If I then ssh from sveasoft to C - the password is cleartext?
> > 
> > 
> > No. The ssh password is always tunneled, but it's tunnelled "cleartext".
> > This means that a sysadmin at sveasoft could rig their sshd to capture
> > the cleartext password to a file, and they could then use it at other
> > sites where you use the same password.
> > 
> > Note that before you ssh'd in, they don't have your password
> > unencrypted: they have a password hash.
> >
> I feel I'm going a little round and round here
> Please correct me if I'm wrong, but I think you saying simply is that 
> the data that comes out of the far side of the tunnel is clear text?

That's right. It's not "clear" while it's "in the tunnel".

> ie:
> me --ssh/encrypted -- sveasoft -- tunnel/cleartext -- box C

I think that's right, although I'm not sure I entirely understand what
I'm seeing above... ssh/encrypted and tunnel/cleartext are the same
thing, unless the first one is intended to represent
assymetric (public/private) key encryption. Assuming
that you're not using assymetric key
encryption at any point, the password is "cleartext" at every
terminating point in the above (me, sveasoft and box C), but at no point
in between.

> BTW, sveasoft is just my own linksys router (at home) running a 
> different firmware, you could substitute any linux box in for the sveasoft
> But if I ssh to a box that has PasswordAuthentication yes, but then just 
> do "vi" and other admin tasks, nothing is clear text between the 2 
> computers, including (most importantly) my password.  The tunneling bit 
> I'm not too worried about.

No, it's clear text at the destination box, in terms of the sysadmin
(who could potentially read sshd's memory to see what it decrypted, and
hence the decrypted clear-text password), and in terms of the sshd owner
(who may have modified sshd to capture the password after decrypting

> Furthermore if I, from the ssh session into my router, in turn ssh to 
> another box, everything from box router -> c is encrypted, right?

Everything on an ssh connection from any box to any other box is
encrypted. It's the termination points that are the problem
(keylogging/ssh-prog capturing at origin, capturing or sysadmin-snooping
at destination).

The reason why public key cryptography is preferred, is that you prove
to the destination box that you are who you say you are, without
allowing the destination box to turn around and "prove" that /it/ is who
/you/ say you are.

What's wrong with PasswordAuthentication in a nutshell is, in order to
authenticate yourself, both you and the destination host know your
vox-tech mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!