From owner-freebsd-questions@FreeBSD.ORG Mon Mar 8 20:27:46 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A5A21106564A for ; Mon, 8 Mar 2010 20:27:46 +0000 (UTC) (envelope-from noeldude@gmail.com) Received: from mail-gy0-f182.google.com (mail-gy0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id 567858FC1D for ; Mon, 8 Mar 2010 20:27:46 +0000 (UTC) Received: by gyg8 with SMTP id 8so1624168gyg.13 for ; Mon, 08 Mar 2010 12:27:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=KLP9GVy3snXcvlDrpahjTBp/T8MYAFVtEy/zXxfB76I=; b=JmPH6lv2aJflykekDg8CyMmABNlo2HlioJqv4V7TUCj1rtoikIl85AYknV0YWCWfll pRNuz04CUNWWccSO2TwGnoDxcokafVgc9rBf+HAtKLUX9VrbcBfIYaTyVBqBvgRWTjXI 5aKfc1FVvwoerh+fN3BV42gDhtOnbBjotDt28= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=nqAZr37vitRkXf440KXvB8BXfnQ2wiqJrMi1pEc9luE/t7ICowhGICLfEJbh6Pjv8x k7T5kV+OZ6udr6LY6IfRQoWm016lR3Dq0NegsgProAAJfqFNz/PhHPKgidfyIhAbOjYz 7OX9nUwXIdekcyLbJJ1IS+UyOFMG8qz4Y6qGg= MIME-Version: 1.0 Received: by 10.151.3.21 with SMTP id f21mr1585591ybi.171.1268080062501; Mon, 08 Mar 2010 12:27:42 -0800 (PST) In-Reply-To: <532b03711003071325j9ab3c98u703b31abdc7ea8fe@mail.gmail.com> References: <532b03711003071325j9ab3c98u703b31abdc7ea8fe@mail.gmail.com> Date: Mon, 8 Mar 2010 14:27:42 -0600 Message-ID: From: Noel Jones To: Angelin Lalev Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-questions@freebsd.org Subject: Re: [OT] ssh security X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Mar 2010 20:27:46 -0000 On Sun, Mar 7, 2010 at 3:25 PM, Angelin Lalev wrote: > Greetings, > > I'm doing some research into ssh and its underlying cryptographic > methods and I have questions. I don't know whom else to ask and humbly > ask for forgiveness if I'm way OT. > > So, SSH uses algorithms like ssh-dss or ssh-rsa to do key exchange. > These algorithms can defeat any attempts on eavesdropping, but cannot > defeat man-in-the-middle attacks. To defeat them, some pre-shared > information is needed - key fingerprint. > > If hypothetically someone uses instead of the plain text > authentication some challenge-response scheme, based on user's > password or even a hash of user's password would ssh be able to avoid > the need the user to have key fingerprints of the server prior the > first connection? Hypothetically, SSH could use a zero-knowledge authentication method such as SRP[1]. Until new code is written for ssh to take advantage of something like this, we're stuck with what's available. -- Noel Jones [1] http://srp.stanford.edu/