From owner-freebsd-security Thu Feb 15 20:40:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-49.dsl.lsan03.pacbell.net [64.165.226.49]) by hub.freebsd.org (Postfix) with ESMTP id 40A7E37B491 for ; Thu, 15 Feb 2001 20:40:53 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id BA9AD66E6A; Thu, 15 Feb 2001 20:40:52 -0800 (PST) Date: Thu, 15 Feb 2001 20:40:52 -0800 From: Kris Kennaway To: cjclark@alum.mit.edu Cc: Jan Conrad , Kris Kennaway , freebsd-security@FreeBSD.ORG, Ralph Schreyer Subject: Re: Why does openssh protocol default to 2? Message-ID: <20010215204052.A28966@mollari.cthul.hu> References: <20010215033410.A86524@mollari.cthul.hu> <20010215203724.X62368@rfx-216-196-73-168.users.reflex> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="zhXaljGHf11kAtnf" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010215203724.X62368@rfx-216-196-73-168.users.reflex>; from cjclark@reflexnet.net on Thu, Feb 15, 2001 at 08:37:24PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --zhXaljGHf11kAtnf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 15, 2001 at 08:37:24PM -0800, Crist J. Clark wrote: > On Thu, Feb 15, 2001 at 01:18:45PM +0100, Jan Conrad wrote: > > On Thu, 15 Feb 2001, Kris Kennaway wrote: > >=20 > > > On Thu, Feb 15, 2001 at 12:30:20PM +0100, Jan Conrad wrote: >=20 > [snip] >=20 > > > > My problem simply is that the id_dsa file is stored in user home di= rs, > > > > which typically are mounted via NFS. So ssh2, in contrast to ssh1 w= ith > > > > RSAAuthentication disabled, allows sniffers to access your system e= ven > > > > without *actively* attacking your system, all you need is the id_dsa > > > > file.... > > > > > > > > Even if that file is protected by a passphrase, you don't gain much= ... > > > > > > I don't understand your complaint. If you don't want to use SSH2 with > > > RSA/DSA keys, don't do that. Use the UNIX password or some other PAM > > > authentication module (OPIE, etc) > >=20 > > Sorry - I did not want to complain... (really :-) > >=20 > > What would you suggest for NFS mounted home dirs as a reasonable soluti= on? > > (To store keys I mean..) >=20 > I am still trying to understand why you believe that SSH1 is somehow > more secure than SSH2. You can disable DSA-key authentication in the > same way you can disable RSA-keys. You can read the RSA stuff a user > has in .ssh just as easily as the DSA stuff when the home directory is > an NFS volume. An alternative is to use IPSEC with ESP to protect the NFS traffic, which defends against the more general problem of people sniffing NFS traffic, if you're worried about that. Kris --zhXaljGHf11kAtnf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6jK9UWry0BWjoQKURAiGwAKDGgnnFtbz2snO5c+GP49W4M470+gCePj0c 4pak7adOFE2j9egG2gUSkq4= =PXLn -----END PGP SIGNATURE----- --zhXaljGHf11kAtnf-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message