[vox-tech] sshd_config and PasswordAuthentication

Jay Strauss me at heyjay.com
Thu Jul 7 13:53:46 PDT 2005



Micah J. Cowan wrote:
> On Thu, Jul 07, 2005 at 10:57:53AM -0500, Jay Strauss wrote:
> 
>>>No, SSH never passes password across the net in cleartext. They are sent to
>>>the remote host when using this option, which means that unless you have a
>>>different password for each host, a malicious remote administrator could
>>>capture your password and then use if to compromise your other accounts.
>>
>>Feeling a bit stupid but I still don't understand what you mean
>>
>>If I ssh from A to sveasoft - the password is encrypted
>>If I then ssh from sveasoft to C - the password is cleartext?
> 
> 
> No. The ssh password is always tunneled, but it's tunnelled "cleartext".
> This means that a sysadmin at sveasoft could rig their sshd to capture
> the cleartext password to a file, and they could then use it at other
> sites where you use the same password.
> 
> Note that before you ssh'd in, they don't have your password
> unencrypted: they have a password hash.
>

I feel I'm going a little round and round here

Please correct me if I'm wrong, but I think you saying simply is that 
the data that comes out of the far side of the tunnel is clear text?

ie:

me --ssh/encrypted -- sveasoft -- tunnel/cleartext -- box C

BTW, sveasoft is just my own linksys router (at home) running a 
different firmware, you could substitute any linux box in for the sveasoft

But if I ssh to a box that has PasswordAuthentication yes, but then just 
do "vi" and other admin tasks, nothing is clear text between the 2 
computers, including (most importantly) my password.  The tunneling bit 
I'm not too worried about.

Furthermore if I, from the ssh session into my router, in turn ssh to 
another box, everything from box router -> c is encrypted, right?

Jay

Jay


More information about the vox-tech mailing list