From owner-freebsd-questions  Thu Jan  1 21:39:00 1998
Return-Path: <owner-freebsd-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id VAA09400
          for questions-outgoing; Thu, 1 Jan 1998 21:39:00 -0800 (PST)
          (envelope-from owner-freebsd-questions)
Received: from tok.qiv.com (miwcbtXGa+mfzCslWGxDJeRGmPoFmlEV@[204.214.141.211])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id VAA09390
          for <questions@freebsd.org>; Thu, 1 Jan 1998 21:38:54 -0800 (PST)
          (envelope-from jdn@acp.qiv.com)
Received: (from uucp@localhost)
	by tok.qiv.com (8.8.8/8.8.5) with UUCP id XAA08716;
	Thu, 1 Jan 1998 23:38:44 -0600 (CST)
Received: from localhost (jdn@localhost)
	by acp.qiv.com (8.8.8/8.8.5) with SMTP id XAA05019;
	Thu, 1 Jan 1998 23:35:16 -0600 (CST)
Date: Thu, 1 Jan 1998 23:35:15 -0600 (CST)
From: Jay Nelson <jdn@acp.qiv.com>
To: Brian Somers <brian@awfulhak.org>
cc: Steve Hovey <shovey@buffnet.net>, questions@freebsd.org
Subject: Re: ssh trust (was Re: HACKED (again)) 
In-Reply-To: <199801012357.XAA01930@awfulhak.demon.co.uk>
Message-ID: <Pine.BSF.3.96.980101233012.5017A-100000@acp.qiv.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

You could be right. Two of us checked the dumps and we were none the
wiser. One of us tailed the dump while the other logged in. All we saw
was the one packet leaving after the password was entered. After that,
all was encrypted garbage. Our conclusion was that it was far better
to use ssh than not.

I think I may look at ssh more closely. Thanks

-- Jay

On Thu, 1 Jan 1998, Brian Somers wrote:

    > > On Thu, 1 Jan 1998, Steve Hovey wrote:
    > > 
    > >     > 
    > >     > I personally dont trust ssh - I have no other reason not to trust it than
    > >     > that I suffered a root incursion once shortly after installing it - since
    > >     > it was the last thing in, I did not reinstall it when I rebuilt the
    > >     > system.
    > > 
    > > When we installed ssh, we tested and checked against a dump. Normal
    > > telnet login sends the password 1 character per packet -- fairly easy
    > > to pick out of a dump. Ssh, though, collects the entire password,
    > > encrypts it and sends one packet. If we weren't using a target machine
    > > with no other activity, we would likely have missed it. 
    > 
    > Errrum, that's not true AFAIK.  Ssh's authentication is challenge 
    > based - it goes something like this:
    > 
    > The server sends some random data, the client encrypts it using his 
    > private key, his machines private key and the servers public key and 
    > sends the answer to the server.  The server decrypts it using its 
    > private key, the client machines public key and the clients public 
    > key, then compares it against the original.  Someone watching the 
    > conversation will be none the wiser.
    > 
    > I'm sure it's more complicated than this too :-)
    > 
    > > -- Jay
    > > 
    > 
    > -- 
    > Brian <brian@Awfulhak.org>, <brian@FreeBSD.org>, <brian@OpenBSD.org>
    >       <http://www.Awfulhak.org>
    > Don't _EVER_ lose your sense of humour....