Date: Thu, 15 Feb 2001 20:37:24 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: Jan Conrad <conrad@th.physik.uni-bonn.de> Cc: Kris Kennaway <kris@obsecurity.org>, freebsd-security@FreeBSD.ORG, Ralph Schreyer <schreyer@th.physik.uni-bonn.de> Subject: Re: Why does openssh protocol default to 2? Message-ID: <20010215203724.X62368@rfx-216-196-73-168.users.reflex> In-Reply-To: <Pine.BSF.4.33.0102151309060.41000-100000@merlin.th.physik.uni-bonn.de>; from conrad@th.physik.uni-bonn.de on Thu, Feb 15, 2001 at 01:18:45PM %2B0100 References: <20010215033410.A86524@mollari.cthul.hu> <Pine.BSF.4.33.0102151309060.41000-100000@merlin.th.physik.uni-bonn.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Feb 15, 2001 at 01:18:45PM +0100, Jan Conrad wrote: > On Thu, 15 Feb 2001, Kris Kennaway wrote: > > > On Thu, Feb 15, 2001 at 12:30:20PM +0100, Jan Conrad wrote: [snip] > > > My problem simply is that the id_dsa file is stored in user home dirs, > > > which typically are mounted via NFS. So ssh2, in contrast to ssh1 with > > > RSAAuthentication disabled, allows sniffers to access your system even > > > without *actively* attacking your system, all you need is the id_dsa > > > file.... > > > > > > Even if that file is protected by a passphrase, you don't gain much... > > > > I don't understand your complaint. If you don't want to use SSH2 with > > RSA/DSA keys, don't do that. Use the UNIX password or some other PAM > > authentication module (OPIE, etc) > > Sorry - I did not want to complain... (really :-) > > What would you suggest for NFS mounted home dirs as a reasonable solution? > (To store keys I mean..) I am still trying to understand why you believe that SSH1 is somehow more secure than SSH2. You can disable DSA-key authentication in the same way you can disable RSA-keys. You can read the RSA stuff a user has in .ssh just as easily as the DSA stuff when the home directory is an NFS volume. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010215203724.X62368>