[lug] SSH
David Morris
david at morris-clan.net
Tue Sep 3 15:44:48 MDT 2002
On Tue, Sep 03, 2002 at 04:32:02PM -0400, Michael Hirsch wrote:
> On Tue, 2002-09-03 at 15:57, David Morris wrote:
> Actually, you can let SSH use rhosts authentication. This is not
> secure.
Using rhosts is, I believe, still encrypted, just no
authentication is required on the given machines. By the
above definition, note that using ssh-agent to store a
passphrase is also not secure, because anyone who can access
*your* computer can access the other.
> > If you do not create an RSA public/private key-pair, you
> > will use password authentication, which means your password
> > goes over the internet in plain text...which is bad if one
> > of your worries is packet sniffing.
>
> This is incorrect. The password is use, but not transmitted in the
> clear. To quote from the man page: If other authentication methods
> fail, ssh prompts the user for a password. The password is sent to the
> remote host for checking; however, since all communications are
> encrypted, the password cannot be seen by someone listening on the
> network.
My appologies...sending your password instead of using
keypairs is less secure, and (at least with SSH1, don't know
about SSH2) I know of at least one or two cases where access
has been gained to a system by sniffing and decrypting the
password. Time might well have improved the password-based
authentication, but I still tend to avoid it whenever
possible.
--David
More information about the LUG
mailing list