Security for SSH
Christopher Browne
cbbrowne-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Fri Jun 10 20:56:28 UTC 2011
On Fri, Jun 10, 2011 at 7:46 PM, Stephen <stephen-d-bJEeYj9oJeDQT0dZR+AlfA at public.gmane.org> wrote:
> On 11-06-10 03:25 PM, Dave Germiquet wrote:
>>
>> I know SSH certificates verification is much better than password
>> verification.
>>
>> However if the password is complex enough, is SSH vulnerable with password
>> verification?
>>
> Until authentication is complete, there is no encryption.
>
> So you are sending the password unencrypted, and it could be sniffed.
You're partly wrong...
Encryption most certainly *IS* used, throughout. (Well, unless you
suppress it, which can be done by suitably dumb mucking around with
configuration.)
But you could be passing your password, albeit encrypted, to someone
that you didn't intend to give it to.
The problem isn't that it "could be sniffed" - that is more than
likely not possible.
Instead, you might give your password, encrypted, to someone that has
the key to decrypt data to get it, and that someone mightn't be
someone to whom you wanted to entrust your password.
A warning is given, in such cases, with the whole "The authenticity of
host xxxxxxx can't be established... Are you sure you want to
continue connecting (yes/now)?" exchange.
--
When confronted by a difficult problem, solve it by reducing it to the
question, "How would the Lone Ranger handle this?"
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list