This is the mail archive of the
cygwin@cygwin.com
mailing list for the Cygwin project.
Re: ssh Authentication--RSA/Password
- To: cygwin at cygwin dot com
- Subject: Re: ssh Authentication--RSA/Password
- From: "Karl M" <karlm30 at hotmail dot com>
- Date: Sat, 07 Apr 2001 05:17:36 -0700
Hi Corinna...
I looked there and I guess that I missed it. Can you give me a specific
pointer, or something I can get a unique search with? If not, I will track
it down later.
Thanks,
...Karl
>From: Corinna Vinschen <cygwin@cygwin.com>
>To: cygwin@cygwin.com
>Subject: Re: ssh Authentication--RSA/Password
>Date: Thu, 5 Apr 2001 09:58:18 +0200
>
>On Wed, Apr 04, 2001 at 04:58:41PM -0400, Christopher Faylor wrote:
> > On Wed, Apr 04, 2001 at 01:04:02PM -0700, Karl M wrote:
> > >Hi Corinna and All...
> > >
> > >Consider the following...Suppose sshd were modified so that password
> > >authentication could succeed only if RSA authentication had almost
>succeeded
> > >(meaning that the RSA authentication itself succeeded but the setuid
> > >failed). Then the authentication sequence might look something like
>this:
> > >
> > >Client and server try RSA authentication.
> > >
> > >Server detects that RSA authentication succeeded but the setuid failed
>and
> > >sets a flag to remember this fact.
> > >
> > >Server tells client that RSA authentication failed.
> > >
> > >Client and server try password authentication.
> > >
> > >Server checks the flag and only allows success if the flag is set. This
> > >might be controlled by setting passwordAuthentication to "maybe"
>instead of
> > >the usual "yes" or "no" in sshd_config.
> > >
> > >The result is that I have typed both a passphrase and a password
>correctly
> > >in order to get in. This means that for any attacks by a listener on
>the
> > >internet, I have the security of RSA authentication--which I believe is
> > >better than most passwords. I also have the password needed to make
>life
> > >good (and easy) in the NT world.
> > >
> > >Do you see any security holes?
> > >
> > >Would this be of general interest?
> >
> > Sounds like a question for the openssh mailing list. I doubt that
>anyone
> > here besides Corinna can really answer this.
>
>A few days ago somebody posted a patch into the openssh-unix-dev
>mailing list which allows forcing multiple authentication methods.
>RSA + Password authentication is just one way then. I don't know
>if it will be applied, though.
>
>Corinna
>
>--
>Corinna Vinschen Please, send mails regarding Cygwin to
>Cygwin Developer mailto:cygwin@cygwin.com
>Red Hat, Inc.
>
>--
>Want to unsubscribe from this list?
>Check out: http://cygwin.com/ml/#unsubscribe-simple
>
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple