Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 29 Jun 1999 12:05:22 -0400 (EDT)
From:      Barrett Richardson <barrett@phoenix.aye.net>
To:        "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz>
Cc:        security@FreeBSD.ORG
Subject:   Re: ssh from windows
Message-ID:  <Pine.BSF.4.01.9906291129050.27462-100000@phoenix.aye.net>
In-Reply-To: <Pine.SO4.4.05.9906290827060.2031-100000@nenya>

next in thread | previous in thread | raw e-mail | index | archive | help


On Tue, 29 Jun 1999, Vladimir Mencl, MK, susSED wrote:

> > Oh. The client encrypts it with the public key sent by the server - but
> > the server's private key isn't passphrase protected (it is, however,
> > readable only by root -- unless you change it).
> 
>    I'm afraid you are wrong. The RSA keys stored on disk are used for
> host authentication only. Passwords (and all other session data) are
> encrypted by a ``session key'', which is generated every (?3?) hours,
> and is not stored anywhere. And is not bound to RSA, the session
> encryption uses other encryption algorithms (with not that much
> overhead). Like blowfish, idea ... and I think, it generally uses
> shorter keys.
> 

Well, I haven't actually studied the code -- but, if RSA authentication
fails, there is no way the server can securely send a session key back
to the client -- nor can the client securely send it to the server
without RSA. The client can, however, use the server's public key to seal
the password or session key in a RSA envelope in a secure manner and send
it to the server.

To answer the original posters question, if the server's public key is
not used to create an RSA envelope, then yes, a password (or session key)
is transmitted in clear text -- and I was indeed wrong. But ... the
man page says that no password informtion is transmitted in the clear
and the aforementioned use of the server's public key is the only
way that can be accomplished.

--

Barrett



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.01.9906291129050.27462-100000>