From owner-freebsd-questions@FreeBSD.ORG Wed Mar 10 00:38:58 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6A6031065674 for ; Wed, 10 Mar 2010 00:38:58 +0000 (UTC) (envelope-from liontaur@gmail.com) Received: from mail-bw0-f216.google.com (mail-bw0-f216.google.com [209.85.218.216]) by mx1.freebsd.org (Postfix) with ESMTP id F00258FC0C for ; Wed, 10 Mar 2010 00:38:57 +0000 (UTC) Received: by bwz8 with SMTP id 8so3819525bwz.3 for ; Tue, 09 Mar 2010 16:38:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=ydl/MUAuvd/ZasIPrs7TMvPLGhKYn2KYfLVD5dmKixs=; b=HjMI+Ut+dki5V7gJ5RXEi1h4v4JA2uBjXJDwn2taJKN7c7E3+GCvX5P/nyc6Y4Na3R xhPZuMZmJmj46FVSTUAKT6jxiJsFjYHE1Y49QFpIEknQ3xQBGWxgIv8adNfJZEgIFy6w kMIgTihpZNbOkTaGYn4rr7snEkUR/tmCzbOBQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=inK3Td87DPIpQXoFKx7lJRDPqI0TqvGS2nrVsor3ercsVVAIQLPasknCTz3Ul6D8gl TF1wicd1aB6z+KDd3TUz4fIq2Vj/oRV67CiiXS5imNmQK+mPTPyBpr11GysM+2Ih5pNY CvPij+ocYC1tj1Z/86tIIk6fBj8DQCZPYVSS8= MIME-Version: 1.0 Received: by 10.204.3.10 with SMTP id 10mr767880bkl.35.1268181536873; Tue, 09 Mar 2010 16:38:56 -0800 (PST) In-Reply-To: <201003090848.o298mBSN079005@banyan.cs.ait.ac.th> References: <532b03711003071325j9ab3c98u703b31abdc7ea8fe@mail.gmail.com> <4b960747.T7FO5AkwXJGAGApg%perryh@pluto.rain.com> <201003090848.o298mBSN079005@banyan.cs.ait.ac.th> Date: Tue, 9 Mar 2010 16:38:56 -0800 Message-ID: From: Liontaur To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: [OT] ssh security X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2010 00:38:58 -0000 On Tue, Mar 9, 2010 at 12:48 AM, Olivier Nicole wrote: > > What happened to Diffie-Hellman? Last I heard, its whole point was > > to enable secure communication, protected from both eavesdropping > > and MIM attacks, between systems having no prior trust relationship > > (e.g. any sort of pre-shared secret). What stops the server and > > client from establishing a Diffie-Hellman session and using it to > > perform the key exchange? > > I am not expert in cryptography, but logic tends to tell me that is I > have no prior knowledge about the person I am about to talk to, > anybody (MIM) could pretend to be that person. > > The pre-shared information need not to be secret (key fingerprints are > not secret), but there is need for pre-shared trusted information. > But to some extent, we setup and configure these machines ourselves. So when we're adding users could we not have an additional field with something like a phrase/answer or something else like that? Obviously it could be completely optional but it would be kind of neat and probably not too difficult to implement. Mark