[vox-tech] sshd_config and PasswordAuthentication

Karsten M. Self kmself at ix.netcom.com
Sun Jul 17 17:40:03 PDT 2005 

on Sun, Jul 17, 2005 at 09:43:43AM -0500, Jay Strauss (me at heyjay.com) wrote:
> Karsten M. Self wrote:
> > on Thu, Jul 07, 2005 at 07:43:52AM -0700, Henry House 
> > (hajhouse at houseag.com) wrote:
> > 
> > > P? 2005-07-07, skrev Jay Strauss:
> > > 
> > > > Hi,
> > > > 
> > > > I have a sveasoft box, and in order to ssh from the sveasoft to
> > > > a target box, the target box must have PasswordAuthentication
> > > > yes in the /etc/ssh/sshd_config file.
> > > > 
> > > > I don't understand what that config option actually does.  The
> > > > config file has:
> > > > 
> > > > # To disable tunneled clear text passwords, change to no here!
> > > > 
> > > > Does this mean you can send clear text passwords to login?  Does
> > > > this mean that when you build a tunnel, passwords are sent clear
> > > > text to the forwarded app?
> 
> > 
> > The curious can read the SSH protocols here:
> > 
> >    http://www.snailbook.com/protocols.html
> > 
> > ...which I've done.  I've been using SSH for years, but only understand
> > some parts of it vaguely.
 
> Thanks Karsten.  It's a long email it's going to take me a bit to figure 
> out how this impacts me

Well, the *short* version is:

  - SSH (v2) *always* encrypts the channel between the two hosts
    participating in a session, prior to any user content being
    transmitted over that channel.  In SSH v1, it was possible to
    request an unencrypted channel, though default behavior was to
    encyrpt unless otherwise specified.

  - When using password authentication, your actual password *is*
    transmitted to the remote host.  If this remote host cannot be
    trusted (it's been compromised, it's a man-in-the-middle), then you
    _may_ find your password compromised.

  - "Man in the middle" refers to a class of cryptographic attack in
    which Eve (the evesdropper) situates herself between yourself
    (Carol) and the host you wish to communicate with (Bob).  If you
    cannot discriminate between Eve and Bob, you risk disclosure to Eve.

  - SSH-key authentication removes the possibility of leaking a password
    to Eve, by using a PKI key exchange in the authentication portion of
    session setup.  This also offers additional levels of control, as
    detailed in my earlier email.


So:

  - Your password is always (cryptographically) safe from evesdropping
    from outside the channel.

  - SSH-key auth removes a few vulnerabilities of password auth,
    introduces additional control points, and enables a number of
    convenience features (e.g.:  ssh-agent).


Mini-shrunk-sort version:  Use SSH-key auth with a passphrase and
ssh-agent.


Peace.

-- 
Karsten M. Self <kmself at ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    You know, maybe FSF should just rebrand emacs as the hurd and stick
    a fork() in it...
    - Karsten M. Self, on linux-elitists
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://ns1.livepenguin.com/pipermail/vox-tech/attachments/20050717/88ec8d04/attachment.pgp

More information about the vox-tech mailing list