From owner-freebsd-questions@FreeBSD.ORG Sun Mar 7 21:25:05 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DFE5F106566B for ; Sun, 7 Mar 2010 21:25:05 +0000 (UTC) (envelope-from lalev.angelin@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.152]) by mx1.freebsd.org (Postfix) with ESMTP id 78B2F8FC19 for ; Sun, 7 Mar 2010 21:25:05 +0000 (UTC) Received: by fg-out-1718.google.com with SMTP id 22so774819fge.13 for ; Sun, 07 Mar 2010 13:25:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=5y0W7BiTT9g/1jAuVwh3JHjEnAEZ1JqFyoOXUG5uBEI=; b=I3ec3++YMmpu17hvbQwLjKnYKmaPN/diBbKFoVMG80tEh9GRDKEN+VOOLfCeeQ9dm4 oER9EgexVkJRLv9u1oE8scLqLwd2yq4hHCGc1gtoiP5UOPv4M7CgD/aLYSfWcFmEh7Vy CHFmrEZl2XndAuyLyNHYnIAP3QzVLCaskz8ag= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=q91wG/Mk3nhn9qFtZ2iShXB5qD5WqdqrIXUvxOaGsTf3H588jpBnvIRJMwyyNdD/xM txOLrtZkpKX10Oo8qeA6xVk2lxnw74C0TKXT5Zv3+MPbjeyzuHvALfWZe1KV3Cbkw0F9 pMBLs2MD/QlEp3ycudSISXpsZ+V7iLMfWazDQ= MIME-Version: 1.0 Received: by 10.239.184.72 with SMTP id x8mr331226hbg.44.1267997104177; Sun, 07 Mar 2010 13:25:04 -0800 (PST) Date: Sun, 7 Mar 2010 23:25:04 +0200 Message-ID: <532b03711003071325j9ab3c98u703b31abdc7ea8fe@mail.gmail.com> From: Angelin Lalev To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: [OT] ssh security X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Mar 2010 21:25:06 -0000 Greetings, I'm doing some research into ssh and its underlying cryptographic methods and I have questions. I don't know whom else to ask and humbly ask for forgiveness if I'm way OT. So, SSH uses algorithms like ssh-dss or ssh-rsa to do key exchange. These algorithms can defeat any attempts on eavesdropping, but cannot defeat man-in-the-middle attacks. To defeat them, some pre-shared information is needed - key fingerprint. If hypothetically someone uses instead of the plain text authentication some challenge-response scheme, based on user's password or even a hash of user's password would ssh be able to avoid the need the user to have key fingerprints of the server prior the first connection?