Date: Thu, 01 Jan 1998 23:57:37 +0000 From: Brian Somers <brian@awfulhak.org> To: Jay Nelson <jdn@acp.qiv.com> Cc: Steve Hovey <shovey@buffnet.net>, questions@freebsd.org Subject: Re: ssh trust (was Re: HACKED (again)) Message-ID: <199801012357.XAA01930@awfulhak.demon.co.uk> In-Reply-To: Your message of "Thu, 01 Jan 1998 12:29:52 CST." <Pine.BSF.3.96.980101122136.954A-100000@acp.qiv.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Thu, 1 Jan 1998, Steve Hovey wrote: > > > > > I personally dont trust ssh - I have no other reason not to trust it than > > that I suffered a root incursion once shortly after installing it - since > > it was the last thing in, I did not reinstall it when I rebuilt the > > system. > > When we installed ssh, we tested and checked against a dump. Normal > telnet login sends the password 1 character per packet -- fairly easy > to pick out of a dump. Ssh, though, collects the entire password, > encrypts it and sends one packet. If we weren't using a target machine > with no other activity, we would likely have missed it. Errrum, that's not true AFAIK. Ssh's authentication is challenge based - it goes something like this: The server sends some random data, the client encrypts it using his private key, his machines private key and the servers public key and sends the answer to the server. The server decrypts it using its private key, the client machines public key and the clients public key, then compares it against the original. Someone watching the conversation will be none the wiser. I'm sure it's more complicated than this too :-) > -- Jay > -- Brian <brian@Awfulhak.org>, <brian@FreeBSD.org>, <brian@OpenBSD.org> <http://www.Awfulhak.org> Don't _EVER_ lose your sense of humour....
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199801012357.XAA01930>