[vox-tech] sshd_config and PasswordAuthentication
Micah J. Cowan
micah at cowan.name
Thu Jul 7 10:43:23 PDT 2005
On Thu, Jul 07, 2005 at 10:57:53AM -0500, Jay Strauss wrote:
> > No, SSH never passes password across the net in cleartext. They are sent to
> > the remote host when using this option, which means that unless you have a
> > different password for each host, a malicious remote administrator could
> > capture your password and then use if to compromise your other accounts.
>
> Feeling a bit stupid but I still don't understand what you mean
>
> If I ssh from A to sveasoft - the password is encrypted
> If I then ssh from sveasoft to C - the password is cleartext?
No. The ssh password is always tunneled, but it's tunnelled "cleartext".
This means that a sysadmin at sveasoft could rig their sshd to capture
the cleartext password to a file, and they could then use it at other
sites where you use the same password.
Note that before you ssh'd in, they don't have your password
unencrypted: they have a password hash.
--
Micah J. Cowan
micah at cowan.name
More information about the vox-tech
mailing list