Security for SSH

Lennart Sorensen lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Fri Jun 10 20:46:41 UTC 2011


On Fri, Jun 10, 2011 at 03:46:43PM -0400, Stephen wrote:
> On 11-06-10 03:25 PM, Dave Germiquet wrote:
> >I know SSH certificates verification is much better than password
> >verification.
> >
> >However if the password is complex enough, is SSH vulnerable with
> >password verification?
> >
> Until authentication is complete, there is no encryption.
> 
> So you are sending the password unencrypted, and it could be sniffed.

You clearly have no idea how ssh works.

However unless you verify the authenticity of the server when connecting
(which is why the first time you connect to a new server ssh asks you
to do exactly that), you may be sending the password to someone you
shouldn't.

But only you and the server you are talking to can see your password.
So it is really a matter of "Do you trust the server you are talking to?".

-- 
Len Sorensen
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list