Date: Mon, 8 Mar 2010 14:27:42 -0600 From: Noel Jones <noeldude@gmail.com> To: Angelin Lalev <lalev.angelin@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: [OT] ssh security Message-ID: <cce506b1003081227m2b02bab1w1dc59c6f4b676834@mail.gmail.com> In-Reply-To: <532b03711003071325j9ab3c98u703b31abdc7ea8fe@mail.gmail.com> References: <532b03711003071325j9ab3c98u703b31abdc7ea8fe@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Mar 7, 2010 at 3:25 PM, Angelin Lalev <lalev.angelin@gmail.com> wrote: > Greetings, > > I'm doing some research into ssh and its underlying cryptographic > methods and I have questions. I don't know whom else to ask and humbly > ask for forgiveness if I'm way OT. > > So, SSH uses algorithms like ssh-dss or ssh-rsa to do key exchange. > These algorithms can defeat any attempts on eavesdropping, but cannot > defeat man-in-the-middle attacks. To defeat them, some pre-shared > information is needed - key fingerprint. > > If hypothetically someone uses instead of the plain text > authentication some challenge-response scheme, based on user's > password or even a hash of user's password would ssh be able to avoid > the need the user to have key fingerprints of the server prior the > first connection? Hypothetically, SSH could use a zero-knowledge authentication method such as SRP[1]. Until new code is written for ssh to take advantage of something like this, we're stuck with what's available. -- Noel Jones [1] http://srp.stanford.edu/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cce506b1003081227m2b02bab1w1dc59c6f4b676834>