[vox-tech] sshd_config and PasswordAuthentication

Micah J. Cowan micah at cowan.name
Thu Jul 7 16:10:47 PDT 2005 

On Thu, Jul 07, 2005 at 03:53:46PM -0500, Jay Strauss wrote:
> 
> 
> Micah J. Cowan wrote:
> > On Thu, Jul 07, 2005 at 10:57:53AM -0500, Jay Strauss wrote:
> > 
> >>>No, SSH never passes password across the net in cleartext. They are sent to
> >>>the remote host when using this option, which means that unless you have a
> >>>different password for each host, a malicious remote administrator could
> >>>capture your password and then use if to compromise your other accounts.
> >>
> >>Feeling a bit stupid but I still don't understand what you mean
> >>
> >>If I ssh from A to sveasoft - the password is encrypted
> >>If I then ssh from sveasoft to C - the password is cleartext?
> > 
> > 
> > No. The ssh password is always tunneled, but it's tunnelled "cleartext".
> > This means that a sysadmin at sveasoft could rig their sshd to capture
> > the cleartext password to a file, and they could then use it at other
> > sites where you use the same password.
> > 
> > Note that before you ssh'd in, they don't have your password
> > unencrypted: they have a password hash.
> >
> 
> I feel I'm going a little round and round here
> 
> Please correct me if I'm wrong, but I think you saying simply is that 
> the data that comes out of the far side of the tunnel is clear text?

That's right. It's not "clear" while it's "in the tunnel".

> ie:
> 
> me --ssh/encrypted -- sveasoft -- tunnel/cleartext -- box C

I think that's right, although I'm not sure I entirely understand what
I'm seeing above... ssh/encrypted and tunnel/cleartext are the same
thing, unless the first one is intended to represent
assymetric (public/private) key encryption. Assuming
that you're not using assymetric key
encryption at any point, the password is "cleartext" at every
terminating point in the above (me, sveasoft and box C), but at no point
in between.

> BTW, sveasoft is just my own linksys router (at home) running a 
> different firmware, you could substitute any linux box in for the sveasoft
> 
> But if I ssh to a box that has PasswordAuthentication yes, but then just 
> do "vi" and other admin tasks, nothing is clear text between the 2 
> computers, including (most importantly) my password.  The tunneling bit 
> I'm not too worried about.

No, it's clear text at the destination box, in terms of the sysadmin
(who could potentially read sshd's memory to see what it decrypted, and
hence the decrypted clear-text password), and in terms of the sshd owner
(who may have modified sshd to capture the password after decrypting
it).

> Furthermore if I, from the ssh session into my router, in turn ssh to 
> another box, everything from box router -> c is encrypted, right?

Everything on an ssh connection from any box to any other box is
encrypted. It's the termination points that are the problem
(keylogging/ssh-prog capturing at origin, capturing or sysadmin-snooping
at destination).

The reason why public key cryptography is preferred, is that you prove
to the destination box that you are who you say you are, without
allowing the destination box to turn around and "prove" that /it/ is who
/you/ say you are.

What's wrong with PasswordAuthentication in a nutshell is, in order to
authenticate yourself, both you and the destination host know your
password.

More information about the vox-tech mailing list