This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: ssh Authentication--RSA/Password


On Wed, Apr 04, 2001 at 01:04:02PM -0700, Karl M wrote:
>Hi Corinna and All...
>
>Consider the following...Suppose sshd were modified so that password 
>authentication could succeed only if RSA authentication had almost succeeded 
>(meaning that the RSA authentication itself succeeded but the setuid 
>failed). Then the authentication sequence might look something like this:
>
>Client and server try RSA authentication.
>
>Server detects that RSA authentication succeeded but the setuid failed and 
>sets a flag to remember this fact.
>
>Server tells client that RSA authentication failed.
>
>Client and server try password authentication.
>
>Server checks the flag and only allows success if the flag is set. This 
>might be controlled by setting passwordAuthentication to "maybe" instead of 
>the usual "yes" or "no" in sshd_config.
>
>The result is that I have typed both a passphrase and a password correctly 
>in order to get in. This means that for any attacks by a listener on the 
>internet, I have the security of RSA authentication--which I believe is 
>better than most passwords. I also have the password needed to make life 
>good (and easy) in the NT world.
>
>Do you see any security holes?
>
>Would this be of general interest?

Sounds like a question for the openssh mailing list.  I doubt that anyone
here besides Corinna can really answer this.

cgf

--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]