Re: ssh

From: -l0rt- (simon@snosoft.com)
Date: 02/06/02


Date: Wed, 6 Feb 2002 15:45:57 -0500 (EST)
From: -l0rt- <simon@snosoft.com>
To: Jose Nazario <jose@biocserver.BIOC.cwru.edu>

Hmm,
        Than you for the quick response (that was way fast). I guess my
exact questions would be:

Assuming that I use strong passwords, is password auth using ssh2 sshd
3.1.0 considered insecure?

-l0rt-

---------------------------------------------------------------------
Disclaimer: Any resemblance between the above views and those of
my employer, my terminal, or the view out my window are purely
coincidental. Any resemblance between the above and my own views is
non-deterministic. The question of the existence of views in the
absence of anyone to hold them is left as an exercise for the reader.
The question of the existence of the reader is left as an exercise for
the second god coefficient. (A discussion of non-orthogonal,
non-integral polytheism is beyond the scope of this article.)
---------------------------------------------------------------------

On Wed, 6 Feb 2002, Jose Nazario wrote:

> On Wed, 6 Feb 2002, -l0rt- wrote:
>
> > When using password auth, how difficult would it be for someone
> > to sniff my connection and extract/crack my password? I only ask
> > because someone mentioned that it would not be too difficult. What
> > are the primary differences between password auth and pubkey? Is using
> > password auth really that much less secure? Please give me the
> > details..
>
> i covered these topics in a recent linux journal piece i wrote:
>
> http://www.linuxjournal.com/article.php?sid=5672
>
> briefly:
>
> o password recovery from password authentication
> http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt
>
> in a nutshell, the exact length of the password used in SSH-1.5 (protocol)
> can be observed by an eavesdropper. then, using a password cracker, they
> can improve tehir efficiency and speed things up by a factor of 50 at the
> outside. note that this isn't terribly huge if you have a strong password,
> but it can be noticable. secondly, this doesn't affect SSH-2 (the
> protocol).
>
> o differences between password and public key auth
>
> ssh can use DSA or RSA keys for authentication. the client sends, rather
> than a password, a reply encrypted with your private key, which your
> public key (which the server has been told about by you) can decrypt. you
> are now verified, as only your key could have done that. these keys are
> protected on your system, typically, by using a passphrase.
>
> a great discussion of how to do this is:
>
> http://www-106.ibm.com/developerworks/library/l-keyc.html
>
> to compare these two methods of authentication, password and public key,
> is pretty simple in many respects. first, the search space for passwords
> is significantly smaller than that for ssh RSA/DSA keypairs. secondly, you
> can protect your ssh identity with longer passphrases, which are typically
> stronger, all things being equal. the risk here is a compromise of your
> host to capture the key (either an unprotected key or a capture of your
> passphrase or a capture of the stored key in your agent). good host
> security will help protect against this.
>
> in a nutshell, look at public key authentication using SSH-2 (not
> SSH-1.5), as i discuss in my LJ piece (where i looked at the attacks in
> the year 2001 against the ssh toolset and make some reccomendations),
> written to answer these kinds of questions.
>
> all the best,
>
> ____________________________
> jose nazario jose@cwru.edu
> PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
> PGP key ID 0xFD37F4E5 (pgp.mit.edu)
>
>



Relevant Pages

  • Re: ssh
    ... ssh can use DSA or RSA keys for authentication. ... public key can decrypt. ... is significantly smaller than that for ssh RSA/DSA keypairs. ... host to capture the key (either an unprotected key or a capture of your ...
    (Vuln-Dev)
  • Re: Six Kerberos/OS X/SSH observations and questions
    ... >>3) I've had public key SSH logins working well between all three boxes ... > Kerberos has the following advantages, which may or may not be of interest ... > has been using public key pairs for authentication, ...
    (comp.security.ssh)
  • Re: [Fedora] Seeing input on Securing the Linux system from intrusions and attacks.
    ... My sshd_config file is setup to disable all forms of authentication ... except for public key, and the only valid public key file is ... If I need anything more than ssh, ... within my local home network. ...
    (Fedora)
  • Re: I do not get ssh. Why is it more secure?
    ... I ask this because I will be needing to open SSH for a vendor ... SSH is encrypted, telnet isn't. ... To allow access to an account you put the user's public key in ... authentication is much better. ...
    (comp.os.linux.misc)
  • Re: openssh + kerberos + windows ad
    ... password auth against AD ... i got this tickets doing ssh with password auth but now i have tickets ... Using keyboard-interactive authentication. ...
    (comp.protocols.kerberos)