From owner-freebsd-questions@FreeBSD.ORG Sun Mar 7 21:28:59 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E1A3310656C3 for ; Sun, 7 Mar 2010 21:28:59 +0000 (UTC) (envelope-from lalev.angelin@gmail.com) Received: from mail-fx0-f223.google.com (mail-fx0-f223.google.com [209.85.220.223]) by mx1.freebsd.org (Postfix) with ESMTP id 78DF38FC1B for ; Sun, 7 Mar 2010 21:28:59 +0000 (UTC) Received: by fxm23 with SMTP id 23so4253212fxm.3 for ; Sun, 07 Mar 2010 13:28:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=pTTJ0HjWtr+nfJgxMptCVakRQNXPbzp32nR3fB29MKE=; b=dRSFBtc73x9pQ503aUk3QsTW3CST2l5O+tYfMen8sZcF6m5fXhmvMsWy4X0jwbV2Sf rk8oeo6CLFYYrkDBCkwGPdJ2NicQvH8xhbjXV59gmySBS4NhorGlNOhWOci478met+28 iElYcfBKjYZ/4cYt3R/KBsYALWH7i5iaGkk1w= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=UG2dze/RjkRhnjxIxP67Km+kBxXEGRyTCKfprAbGDFkwFqczvWvoQme/tcgHkom0AZ dIT+n+Kg3yAvh+P0TAdI4TRmCH1XeQT5hKLvtyXSRtma5juvH1zsvXnhi+QgmCGWnCtU q/vQ3/mToCnzzzOEyv3v8HlAvmVso9bTcMR5Y= MIME-Version: 1.0 Received: by 10.239.169.20 with SMTP id m20mr317042hbe.20.1267997338146; Sun, 07 Mar 2010 13:28:58 -0800 (PST) In-Reply-To: <532b03711003071325j9ab3c98u703b31abdc7ea8fe@mail.gmail.com> References: <532b03711003071325j9ab3c98u703b31abdc7ea8fe@mail.gmail.com> Date: Sun, 7 Mar 2010 23:28:58 +0200 Message-ID: <532b03711003071328n57042980gf5520f40dcc73950@mail.gmail.com> From: Angelin Lalev To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [OT] ssh security X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Mar 2010 21:29:00 -0000 On Sun, Mar 7, 2010 at 11:25 PM, Angelin Lalev wrote: > Greetings, > > I'm doing some research into ssh and its underlying cryptographic > methods and I have questions. I don't know whom else to ask and humbly > ask for forgiveness if I'm way OT. > > So, SSH uses algorithms like ssh-dss or ssh-rsa to do key exchange. > These algorithms can defeat any attempts on eavesdropping, but cannot > defeat man-in-the-middle attacks. To defeat them, some pre-shared > information is needed - key fingerprint. > > If hypothetically someone uses instead of the plain text > authentication some challenge-response scheme, based on user's > password or even a hash of user's password would ssh be able to avoid > the need the user to have key fingerprints of the server prior the > first connection? > To clarify, we as users anyway do have shared secret with the server and that's the authentication password why we could not use that instead of or in addition to a key fingerprint?