Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 01 Jan 1998 23:57:37 +0000
From:      Brian Somers <brian@awfulhak.org>
To:        Jay Nelson <jdn@acp.qiv.com>
Cc:        Steve Hovey <shovey@buffnet.net>, questions@freebsd.org
Subject:   Re: ssh trust (was Re: HACKED (again)) 
Message-ID:  <199801012357.XAA01930@awfulhak.demon.co.uk>
In-Reply-To: Your message of "Thu, 01 Jan 1998 12:29:52 CST." <Pine.BSF.3.96.980101122136.954A-100000@acp.qiv.com> 

next in thread | previous in thread | raw e-mail | index | archive | help
> On Thu, 1 Jan 1998, Steve Hovey wrote:
> 
>     > 
>     > I personally dont trust ssh - I have no other reason not to trust it than
>     > that I suffered a root incursion once shortly after installing it - since
>     > it was the last thing in, I did not reinstall it when I rebuilt the
>     > system.
> 
> When we installed ssh, we tested and checked against a dump. Normal
> telnet login sends the password 1 character per packet -- fairly easy
> to pick out of a dump. Ssh, though, collects the entire password,
> encrypts it and sends one packet. If we weren't using a target machine
> with no other activity, we would likely have missed it. 

Errrum, that's not true AFAIK.  Ssh's authentication is challenge 
based - it goes something like this:

The server sends some random data, the client encrypts it using his 
private key, his machines private key and the servers public key and 
sends the answer to the server.  The server decrypts it using its 
private key, the client machines public key and the clients public 
key, then compares it against the original.  Someone watching the 
conversation will be none the wiser.

I'm sure it's more complicated than this too :-)

> -- Jay
> 

-- 
Brian <brian@Awfulhak.org>, <brian@FreeBSD.org>, <brian@OpenBSD.org>
      <http://www.Awfulhak.org>;
Don't _EVER_ lose your sense of humour....





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199801012357.XAA01930>