Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 15 Feb 2001 20:40:52 -0800
From:      Kris Kennaway <kris@obsecurity.org>
To:        cjclark@alum.mit.edu
Cc:        Jan Conrad <conrad@th.physik.uni-bonn.de>, Kris Kennaway <kris@obsecurity.org>, freebsd-security@FreeBSD.ORG, Ralph Schreyer <schreyer@th.physik.uni-bonn.de>
Subject:   Re: Why does openssh protocol default to 2?
Message-ID:  <20010215204052.A28966@mollari.cthul.hu>
In-Reply-To: <20010215203724.X62368@rfx-216-196-73-168.users.reflex>; from cjclark@reflexnet.net on Thu, Feb 15, 2001 at 08:37:24PM -0800
References:  <20010215033410.A86524@mollari.cthul.hu> <Pine.BSF.4.33.0102151309060.41000-100000@merlin.th.physik.uni-bonn.de> <20010215203724.X62368@rfx-216-196-73-168.users.reflex>

next in thread | previous in thread | raw e-mail | index | archive | help

--zhXaljGHf11kAtnf
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Feb 15, 2001 at 08:37:24PM -0800, Crist J. Clark wrote:
> On Thu, Feb 15, 2001 at 01:18:45PM +0100, Jan Conrad wrote:
> > On Thu, 15 Feb 2001, Kris Kennaway wrote:
> >=20
> > > On Thu, Feb 15, 2001 at 12:30:20PM +0100, Jan Conrad wrote:
>=20
> [snip]
>=20
> > > > My problem simply is that the id_dsa file is stored in user home di=
rs,
> > > > which typically are mounted via NFS. So ssh2, in contrast to ssh1 w=
ith
> > > > RSAAuthentication disabled, allows sniffers to access your system e=
ven
> > > > without *actively* attacking your system, all you need is the id_dsa
> > > > file....
> > > >
> > > > Even if that file is protected by a passphrase, you don't gain much=
...
> > >
> > > I don't understand your complaint.  If you don't want to use SSH2 with
> > > RSA/DSA keys, don't do that.  Use the UNIX password or some other PAM
> > > authentication module (OPIE, etc)
> >=20
> > Sorry - I did not want to complain... (really :-)
> >=20
> > What would you suggest for NFS mounted home dirs as a reasonable soluti=
on?
> > (To store keys I mean..)
>=20
> I am still trying to understand why you believe that SSH1 is somehow
> more secure than SSH2. You can disable DSA-key authentication in the
> same way you can disable RSA-keys. You can read the RSA stuff a user
> has in .ssh just as easily as the DSA stuff when the home directory is
> an NFS volume.

An alternative is to use IPSEC with ESP to protect the NFS traffic,
which defends against the more general problem of people sniffing NFS
traffic, if you're worried about that.

Kris

--zhXaljGHf11kAtnf
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE6jK9UWry0BWjoQKURAiGwAKDGgnnFtbz2snO5c+GP49W4M470+gCePj0c
4pak7adOFE2j9egG2gUSkq4=
=PXLn
-----END PGP SIGNATURE-----

--zhXaljGHf11kAtnf--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010215204052.A28966>