Date: Tue, 29 Jun 1999 12:05:22 -0400 (EDT) From: Barrett Richardson <barrett@phoenix.aye.net> To: "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz> Cc: security@FreeBSD.ORG Subject: Re: ssh from windows Message-ID: <Pine.BSF.4.01.9906291129050.27462-100000@phoenix.aye.net> In-Reply-To: <Pine.SO4.4.05.9906290827060.2031-100000@nenya>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 29 Jun 1999, Vladimir Mencl, MK, susSED wrote: > > Oh. The client encrypts it with the public key sent by the server - but > > the server's private key isn't passphrase protected (it is, however, > > readable only by root -- unless you change it). > > I'm afraid you are wrong. The RSA keys stored on disk are used for > host authentication only. Passwords (and all other session data) are > encrypted by a ``session key'', which is generated every (?3?) hours, > and is not stored anywhere. And is not bound to RSA, the session > encryption uses other encryption algorithms (with not that much > overhead). Like blowfish, idea ... and I think, it generally uses > shorter keys. > Well, I haven't actually studied the code -- but, if RSA authentication fails, there is no way the server can securely send a session key back to the client -- nor can the client securely send it to the server without RSA. The client can, however, use the server's public key to seal the password or session key in a RSA envelope in a secure manner and send it to the server. To answer the original posters question, if the server's public key is not used to create an RSA envelope, then yes, a password (or session key) is transmitted in clear text -- and I was indeed wrong. But ... the man page says that no password informtion is transmitted in the clear and the aforementioned use of the server's public key is the only way that can be accomplished. -- Barrett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.01.9906291129050.27462-100000>