Re: Difference between "PasswordAuthentication yes" and "AllowedAuthentication password" ?

From: Richard E. Silverman (res_at_qoxp.net)
Date: 08/01/05

Next message: h.wulff: "Re: Difference between "PasswordAuthentication yes" and "AllowedAuthentication password" ?"

Previous message: Martin Arith: "Putty. Save settings to file(s) instead of registry?"
In reply to: h.wulff: "Difference between "PasswordAuthentication yes" and "AllowedAuthentication password" ?"
Next in thread: h.wulff: "Re: Difference between "PasswordAuthentication yes" and "AllowedAuthentication password" ?"
Reply: h.wulff: "Re: Difference between "PasswordAuthentication yes" and "AllowedAuthentication password" ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 01 Aug 2005 15:20:56 -0400

>>>>> "hw" == h wulff <zuhause@aol.com> writes:

hw> Hello, AFAIK the "PasswordAuthentication yes" enables cleartext
hw> passwords.

The user authentication protocol is carried inside an SSH transport
session, which is normally encrypted -- so this does enable cleartext
passwords, at least as far as the network is concerned. It does reveal
the password to the server, which is a weakness publickey authentication
avoids.

hw> But what happends to the passwd if AllowedAuthentication is
hw> password and PasswordAuthentication is no?

You haven't said what software you're using, or whether you're talking
about the client or the server... and, this sentence is
self-contradictory: "AllowedAuthentications" is a Tectia keyword, while
"PasswordAuthentication" belongs to OpenSSH.

However, I don't think it much matters to answer your specific question.
These various keywords in either product do not affect what happens to the
password: it is encrypted if and only if the underlying SSH session uses
encryption.

-- 
  Richard Silverman
  res@qoxp.net

Next message: h.wulff: "Re: Difference between "PasswordAuthentication yes" and "AllowedAuthentication password" ?"

Previous message: Martin Arith: "Putty. Save settings to file(s) instead of registry?"
In reply to: h.wulff: "Difference between "PasswordAuthentication yes" and "AllowedAuthentication password" ?"
Next in thread: h.wulff: "Re: Difference between "PasswordAuthentication yes" and "AllowedAuthentication password" ?"
Reply: h.wulff: "Re: Difference between "PasswordAuthentication yes" and "AllowedAuthentication password" ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Voice encryption (Stream vs CBC mode)
... > vague on how their crypto works. ... We will publish our design in one month. ... We use CBC encryption mode. ... For each session we have a random IV, ...
(sci.crypt)
Re: Authentication Security
... Forms Authentication sends them an encrypted cookie. ... Principal object out of Session and set the current thread to use it. ... > encryption that the AuthenticationTicket undergoes. ...
(microsoft.public.dotnet.framework.aspnet)
Re: Teamviewer--Sicherheitsbedenken?!?
... When creating a session, TeamViewer determines the optimal type of connection. ... As later described in the paragraph "Encryption and Authentication" even we as the operators of the routing ... Each TeamViewer clients has already implemented the public key of the master cluster and can thus encrypt ...
(de.comp.security.misc)
Re: ECMAScript Secure Transform. My idea, i think...
... Server Session Generation. ... of symmetric encryption that sends the cyphertext in the HTTP message ... won't get any help from me, ask a patent attorney. ...
(comp.lang.javascript)
Re: a question on session ID and security
... packet data, not packet headers, is encrypted. ... As long as you POST or COOKIE ... data that needs encryption, you're fine. ... There are a few different attack vectors with SESSION data. ...
(php.general)