Security for SSH

Jamon Camisso jamon.camisso-H217xnMUJC0sA/PxXw9srA at public.gmane.org
Fri Jun 10 19:58:27 UTC 2011


On 06/10/2011 03:46 PM, Stephen wrote:
> On 11-06-10 03:25 PM, Dave Germiquet wrote:
>> I know SSH certificates verification is much better than password
>> verification.
>>
>> However if the password is complex enough, is SSH vulnerable with
>> password verification?
>>
> Until authentication is complete, there is no encryption.
> 
> So you are sending the password unencrypted, and it could be sniffed.

SSH uses DIffie-Hellman
http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange for key
exchange. A password is not sent unencrypted. See
http://tools.ietf.org/html/rfc4253 for more, or try running Wireshark
while connecting to a system with SSH.

Jamon
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list