[vox-tech] sshd_config and PasswordAuthentication

Jay Strauss me at heyjay.com
Mon Jul 18 07:24:56 PDT 2005 

Karsten M. Self wrote:
> on Sun, Jul 17, 2005 at 09:43:43AM -0500, Jay Strauss (me at heyjay.com) wrote:
> 
>>Karsten M. Self wrote:
>>
>>>on Thu, Jul 07, 2005 at 07:43:52AM -0700, Henry House 
>>>(hajhouse at houseag.com) wrote:
>>>
>>>
>>>>P? 2005-07-07, skrev Jay Strauss:
>>>>
>>>>
>>>>>Hi,
>>>>>
>>>>>I have a sveasoft box, and in order to ssh from the sveasoft to
>>>>>a target box, the target box must have PasswordAuthentication
>>>>>yes in the /etc/ssh/sshd_config file.
>>>>>
>>>>>I don't understand what that config option actually does.  The
>>>>>config file has:
>>>>>
>>>>># To disable tunneled clear text passwords, change to no here!
>>>>>
>>>>>Does this mean you can send clear text passwords to login?  Does
>>>>>this mean that when you build a tunnel, passwords are sent clear
>>>>>text to the forwarded app?
>>
>>>The curious can read the SSH protocols here:
>>>
>>>   http://www.snailbook.com/protocols.html
>>>
>>>...which I've done.  I've been using SSH for years, but only understand
>>>some parts of it vaguely.
> 
>  
> 
>>Thanks Karsten.  It's a long email it's going to take me a bit to figure 
>>out how this impacts me
> 
> 
> Well, the *short* version is:
> 
>   - SSH (v2) *always* encrypts the channel between the two hosts
>     participating in a session, prior to any user content being
>     transmitted over that channel.  In SSH v1, it was possible to
>     request an unencrypted channel, though default behavior was to
>     encyrpt unless otherwise specified.
> 
>   - When using password authentication, your actual password *is*
>     transmitted to the remote host.  If this remote host cannot be
>     trusted (it's been compromised, it's a man-in-the-middle), then you
>     _may_ find your password compromised.
> 
>   - "Man in the middle" refers to a class of cryptographic attack in
>     which Eve (the evesdropper) situates herself between yourself
>     (Carol) and the host you wish to communicate with (Bob).  If you
>     cannot discriminate between Eve and Bob, you risk disclosure to Eve.
> 
>   - SSH-key authentication removes the possibility of leaking a password
>     to Eve, by using a PKI key exchange in the authentication portion of
>     session setup.  This also offers additional levels of control, as
>     detailed in my earlier email.
> 
> 
> So:
> 
>   - Your password is always (cryptographically) safe from evesdropping
>     from outside the channel.
> 
>   - SSH-key auth removes a few vulnerabilities of password auth,
>     introduces additional control points, and enables a number of
>     convenience features (e.g.:  ssh-agent).
> 
> 
> Mini-shrunk-sort version:  Use SSH-key auth with a passphrase and
> ssh-agent.
> 
> 
> Peace.

thanks.  How do you NOT send the password?  Does Carol and Bob 
convert/encrypt their local password for this user, then compare the 
encryptions (maybe its call a hash in this context)?


Thanks
Jay

More information about the vox-tech mailing list