Mail Archives: cygwin/2001/04/04/18:09:42

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2001/04/04/18:09:42

Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm

List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>

List-Archive: <http://sources.redhat.com/ml/cygwin/>

List-Post: <mailto:cygwin AT sources DOT redhat DOT com>

List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>

Sender: cygwin-owner AT sources DOT redhat DOT com

Delivered-To: mailing list cygwin AT sources DOT redhat DOT com

Date: Wed, 4 Apr 2001 16:58:41 -0400

From: Christopher Faylor <cgf AT redhat DOT com>

To: cygwin AT cygwin DOT com

Subject: Re: ssh Authentication--RSA/Password

Message-ID: <20010404165841.A4546@redhat.com>

Reply-To: cygwin AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

References: <F193Y0VnkB4ltFlmmlQ000014b2 AT hotmail DOT com>

Mime-Version: 1.0

User-Agent: Mutt/1.3.11i

In-Reply-To: <F193Y0VnkB4ltFlmmlQ000014b2@hotmail.com>; from karlm30@hotmail.com on Wed, Apr 04, 2001 at 01:04:02PM -0700

On Wed, Apr 04, 2001 at 01:04:02PM -0700, Karl M wrote:
>Hi Corinna and All...
>
>Consider the following...Suppose sshd were modified so that password 
>authentication could succeed only if RSA authentication had almost succeeded 
>(meaning that the RSA authentication itself succeeded but the setuid 
>failed). Then the authentication sequence might look something like this:
>
>Client and server try RSA authentication.
>
>Server detects that RSA authentication succeeded but the setuid failed and 
>sets a flag to remember this fact.
>
>Server tells client that RSA authentication failed.
>
>Client and server try password authentication.
>
>Server checks the flag and only allows success if the flag is set. This 
>might be controlled by setting passwordAuthentication to "maybe" instead of 
>the usual "yes" or "no" in sshd_config.
>
>The result is that I have typed both a passphrase and a password correctly 
>in order to get in. This means that for any attacks by a listener on the 
>internet, I have the security of RSA authentication--which I believe is 
>better than most passwords. I also have the password needed to make life 
>good (and easy) in the NT world.
>
>Do you see any security holes?
>
>Would this be of general interest?

Sounds like a question for the openssh mailing list.  I doubt that anyone
here besides Corinna can really answer this.

cgf

--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

Mailing-List:	contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe:	<mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive:	<http://sources.redhat.com/ml/cygwin/>
List-Post:	<mailto:cygwin AT sources DOT redhat DOT com>
List-Help:	<mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender:	cygwin-owner AT sources DOT redhat DOT com
Delivered-To:	mailing list cygwin AT sources DOT redhat DOT com
Date:	Wed, 4 Apr 2001 16:58:41 -0400
From:	Christopher Faylor <cgf AT redhat DOT com>
To:	cygwin AT cygwin DOT com
Subject:	Re: ssh Authentication--RSA/Password
Message-ID:	<20010404165841.A4546@redhat.com>
Reply-To:	cygwin AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
References:	<F193Y0VnkB4ltFlmmlQ000014b2 AT hotmail DOT com>
Mime-Version:	1.0
User-Agent:	Mutt/1.3.11i
In-Reply-To:	<F193Y0VnkB4ltFlmmlQ000014b2@hotmail.com>; from karlm30@hotmail.com on Wed, Apr 04, 2001 at 01:04:02PM -0700