l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
August 5: Social gathering
Next Installfest:
TBD
Latest News:
Jul. 4: July, August and September: Security, Photography and Programming for Kids
Page last updated:
2005 Jul 18 07:25

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] sshd_config and PasswordAuthentication
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] sshd_config and PasswordAuthentication



on Sun, Jul 17, 2005 at 09:43:43AM -0500, Jay Strauss (me@heyjay.com) wrote:
> Karsten M. Self wrote:
> > on Thu, Jul 07, 2005 at 07:43:52AM -0700, Henry House 
> > (hajhouse@houseag.com) wrote:
> > 
> > > P? 2005-07-07, skrev Jay Strauss:
> > > 
> > > > Hi,
> > > > 
> > > > I have a sveasoft box, and in order to ssh from the sveasoft to
> > > > a target box, the target box must have PasswordAuthentication
> > > > yes in the /etc/ssh/sshd_config file.
> > > > 
> > > > I don't understand what that config option actually does.  The
> > > > config file has:
> > > > 
> > > > # To disable tunneled clear text passwords, change to no here!
> > > > 
> > > > Does this mean you can send clear text passwords to login?  Does
> > > > this mean that when you build a tunnel, passwords are sent clear
> > > > text to the forwarded app?
> 
> > 
> > The curious can read the SSH protocols here:
> > 
> >    http://www.snailbook.com/protocols.html
> > 
> > ...which I've done.  I've been using SSH for years, but only understand
> > some parts of it vaguely.
 
> Thanks Karsten.  It's a long email it's going to take me a bit to figure 
> out how this impacts me

Well, the *short* version is:

  - SSH (v2) *always* encrypts the channel between the two hosts
    participating in a session, prior to any user content being
    transmitted over that channel.  In SSH v1, it was possible to
    request an unencrypted channel, though default behavior was to
    encyrpt unless otherwise specified.

  - When using password authentication, your actual password *is*
    transmitted to the remote host.  If this remote host cannot be
    trusted (it's been compromised, it's a man-in-the-middle), then you
    _may_ find your password compromised.

  - "Man in the middle" refers to a class of cryptographic attack in
    which Eve (the evesdropper) situates herself between yourself
    (Carol) and the host you wish to communicate with (Bob).  If you
    cannot discriminate between Eve and Bob, you risk disclosure to Eve.

  - SSH-key authentication removes the possibility of leaking a password
    to Eve, by using a PKI key exchange in the authentication portion of
    session setup.  This also offers additional levels of control, as
    detailed in my earlier email.


So:

  - Your password is always (cryptographically) safe from evesdropping
    from outside the channel.

  - SSH-key auth removes a few vulnerabilities of password auth,
    introduces additional control points, and enables a number of
    convenience features (e.g.:  ssh-agent).


Mini-shrunk-sort version:  Use SSH-key auth with a passphrase and
ssh-agent.


Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    You know, maybe FSF should just rebrand emacs as the hurd and stick
    a fork() in it...
    - Karsten M. Self, on linux-elitists

Attachment: signature.asc
Description: Digital signature

_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech


LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.