[lug] SSH

David Morris david at morris-clan.net
Tue Sep 3 15:44:48 MDT 2002


On Tue, Sep 03, 2002 at 04:32:02PM -0400, Michael Hirsch wrote:
> On Tue, 2002-09-03 at 15:57, David Morris wrote:
> Actually, you can let SSH use rhosts authentication.  This is not
> secure.

Using rhosts is, I believe,  still encrypted, just no
authentication is required on the given machines.  By the
above definition, note that using ssh-agent to store a
passphrase is also not secure, because anyone who can access
*your* computer can access the other.

> > If you do not create an RSA public/private key-pair, you
> > will use password authentication, which means your password
> > goes over the internet in plain text...which is bad if one
> > of your worries is packet sniffing.  
> 
> This is incorrect.  The password is use, but not transmitted in the
> clear.  To quote from the man page: If other authentication methods
> fail, ssh prompts the user for a password. The password is sent to the
> remote host for checking; however, since all communications are
> encrypted, the password cannot be seen by someone listening on the
> network. 

My appologies...sending your password instead of using
keypairs is less secure, and (at least with SSH1, don't know
about SSH2) I know of at least one or two cases where access
has been gained to a system by sniffing and decrypting the
password.  Time might well have improved the password-based
authentication, but I still tend to avoid it whenever
possible.

--David




More information about the LUG mailing list