Re: Password camouflage in SSH, version 1

• Previous message: Augustus SFX van Dusen: "Password camouflage in SSH, version 1"
• In reply to: Augustus SFX van Dusen: "Password camouflage in SSH, version 1"
• Next in thread: Richard E. Silverman: "Re: Password camouflage in SSH, version 1"
• Reply: Richard E. Silverman: "Re: Password camouflage in SSH, version 1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 12 Oct 2005 17:23:42 +0100 (BST)

Augustus SFX van Dusen <ASFXvD@story.net> wrote:
> Now the password packet is transferred after the SSH handshake is
> complete - therefore, encrypted. More importantly, SSH clients can (as
> OpenSSH's does) pad the actual password with null characters to the right,
> thus hiding the password length: Attackers will be able to determine the
> maximum number of characters that the password being transferred could
> possibly have, but that's all. This seems to be a far less cumbersome way
> of hiding the password length.

But it has the disadvantage that it isn't technically correct
according to the SSH protocol definition. A server might perfectly
validly treat those NULs as part of the password, and reject your
login because the password didn't match the stored one. Some
actually do this. It so happens that _most_ servers are written in C
and hence treat NULs as end-of-string unless painstakingly told not
to, but that behaviour isn't mandated by the standard (in fact
strictly speaking you could probably argue that it's a _violation_
of the standard).

PuTTY will fall back to that approach if it knows it's dealing with
a server which can't handle our standards-compliant strategy, of
which there are also a few.

-- 
Simon Tatham         "infinite loop _see_ loop, infinite"
<anakin@pobox.com>     - Index, Borland Pascal Language Guide

• Previous message: Augustus SFX van Dusen: "Password camouflage in SSH, version 1"
• In reply to: Augustus SFX van Dusen: "Password camouflage in SSH, version 1"
• Next in thread: Richard E. Silverman: "Re: Password camouflage in SSH, version 1"
• Reply: Richard E. Silverman: "Re: Password camouflage in SSH, version 1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: why>? ... it's a component in the standard office installation; ... to use a 'standard office install' feature if there's not even any ... That's nice when running things on the server. ... Calculations aren't the same thing as reports unless you (and I'll ... (microsoft.public.excel) RE: Suggestions please for what POP or IMAP servers to use ... There's nothing wrong with writing an extremely strict standard. ... If your server implementation is so strict that most clients have ... Microsoft tested stuff like IE7 against Apache during IE7 development, ... (freebsd-questions) Re: Can not create the object Site, SLP and MP in Active Directory ... MVP Windows Server System - SMS ... >> MVP Windows Server System - SMS ... >>> Logon to the NG1 domain and create a System Management container under ... >>> Standard ... (microsoft.public.sms.setup) Re: Can not create the object Site, SLP and MP. ... MVP Windows Server System - SMS ... > System Management container under System, did not know if I needed to do ... > Checking configuration information for server: NGRCSMS00. ... (microsoft.public.sms.admin) Re: SBS Transition Pack ... My standard response on running the transition pack: ... Before you run the Transition Pack there are a few steps you should take to ... Disconnect the server from the internet completely. ... Just make sure you have the matching TP version to your SBS ... (microsoft.public.windows.server.sbs)