From owner-freebsd-security  Thu Feb 15 20:37:43 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id A5B4A37B4EC
	for <freebsd-security@freebsd.org>; Thu, 15 Feb 2001 20:37:40 -0800 (PST)
Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Thu, 15 Feb 2001 20:35:47 -0800
Received: (from cjc@localhost)
	by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1G4bUg74255;
	Thu, 15 Feb 2001 20:37:30 -0800 (PST)
	(envelope-from cjc)
Date: Thu, 15 Feb 2001 20:37:24 -0800
From: "Crist J. Clark" <cjclark@reflexnet.net>
To: Jan Conrad <conrad@th.physik.uni-bonn.de>
Cc: Kris Kennaway <kris@obsecurity.org>,
	freebsd-security@FreeBSD.ORG,
	Ralph Schreyer <schreyer@th.physik.uni-bonn.de>
Subject: Re: Why does openssh protocol default to 2?
Message-ID: <20010215203724.X62368@rfx-216-196-73-168.users.reflex>
Reply-To: cjclark@alum.mit.edu
References: <20010215033410.A86524@mollari.cthul.hu> <Pine.BSF.4.33.0102151309060.41000-100000@merlin.th.physik.uni-bonn.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSF.4.33.0102151309060.41000-100000@merlin.th.physik.uni-bonn.de>; from conrad@th.physik.uni-bonn.de on Thu, Feb 15, 2001 at 01:18:45PM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, Feb 15, 2001 at 01:18:45PM +0100, Jan Conrad wrote:
> On Thu, 15 Feb 2001, Kris Kennaway wrote:
> 
> > On Thu, Feb 15, 2001 at 12:30:20PM +0100, Jan Conrad wrote:

[snip]

> > > My problem simply is that the id_dsa file is stored in user home dirs,
> > > which typically are mounted via NFS. So ssh2, in contrast to ssh1 with
> > > RSAAuthentication disabled, allows sniffers to access your system even
> > > without *actively* attacking your system, all you need is the id_dsa
> > > file....
> > >
> > > Even if that file is protected by a passphrase, you don't gain much...
> >
> > I don't understand your complaint.  If you don't want to use SSH2 with
> > RSA/DSA keys, don't do that.  Use the UNIX password or some other PAM
> > authentication module (OPIE, etc)
> 
> Sorry - I did not want to complain... (really :-)
> 
> What would you suggest for NFS mounted home dirs as a reasonable solution?
> (To store keys I mean..)

I am still trying to understand why you believe that SSH1 is somehow
more secure than SSH2. You can disable DSA-key authentication in the
same way you can disable RSA-keys. You can read the RSA stuff a user
has in .ssh just as easily as the DSA stuff when the home directory is
an NFS volume.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message