Security for SSH

Robert Brockway robert-5LEc/6Zm6xCUd8a0hrldnti2O/JbrIOy at public.gmane.org
Tue Jun 14 04:18:26 UTC 2011 

On Fri, 10 Jun 2011, Dave Germiquet wrote:

> Thanks everyone for your input. :)
>
> I understand now why Certificates are sometimes used for security.

It's worth noting that if you accept the public key of the remote host 'in 
band' when you first connect you are susceptible to a 'man-in-the-middle' 
attack (MITM).  This is only true the first time you connect.

If you are really paraoid you can send the key 'out of band' using some 
method which preumably authenticates the remote host and have SSH refuse 
to accept remote host keys in band.  In practice few people do this - even 
among those who understand the crypto involved, most will accept the small 
risk of a MITM.

Cheers,

Rob

> On Fri, Jun 10, 2011 at 4:56 PM, Christopher Browne <cbbrowne-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>wrote:
>
>> On Fri, Jun 10, 2011 at 7:46 PM, Stephen <stephen-d-bJEeYj9oJeDQT0dZR+AlfA at public.gmane.org> wrote:
>>> On 11-06-10 03:25 PM, Dave Germiquet wrote:
>>>>
>>>> I know SSH certificates verification is much better than password
>>>> verification.
>>>>
>>>> However if the password is complex enough, is SSH vulnerable with
>> password
>>>> verification?
>>>>
>>> Until authentication is complete, there is no encryption.
>>>
>>> So you are sending the password unencrypted, and it could be sniffed.
>>
>> You're partly wrong...
>>
>> Encryption most certainly *IS* used, throughout.  (Well, unless you
>> suppress it, which can be done by suitably dumb mucking around with
>> configuration.)
>>
>> But you could be passing your password, albeit encrypted, to someone
>> that you didn't intend to give it to.
>>
>> The problem isn't that it "could be sniffed" - that is more than
>> likely not possible.
>>
>> Instead, you might give your password, encrypted, to someone that has
>> the key to decrypt data to get it, and that someone mightn't be
>> someone to whom you wanted to entrust your password.
>>
>> A warning is given, in such cases, with the whole "The authenticity of
>> host xxxxxxx can't be established...  Are you sure you want to
>> continue connecting (yes/now)?" exchange.
>> --
>> When confronted by a difficult problem, solve it by reducing it to the
>> question, "How would the Lone Ranger handle this?"
>> --
>> The Toronto Linux Users Group.      Meetings: http://gtalug.org/
>> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
>> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>>
>
>
>
>

-- 
Email: robert-5LEc/6Zm6xCUd8a0hrldnti2O/JbrIOy at public.gmane.org		Linux counter ID #16440
IRC: Solver (OFTC & Freenode)
Web: http://www.practicalsysadmin.com
Contributing member of Software in the Public Interest (http://spi-inc.org/)
Open Source: The revolution that silently changed the world
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list