Mail Archives: cygwin/2001/04/05/04:04:03
On Wed, Apr 04, 2001 at 04:58:41PM -0400, Christopher Faylor wrote:
> On Wed, Apr 04, 2001 at 01:04:02PM -0700, Karl M wrote:
> >Hi Corinna and All...
> >
> >Consider the following...Suppose sshd were modified so that password
> >authentication could succeed only if RSA authentication had almost succeeded
> >(meaning that the RSA authentication itself succeeded but the setuid
> >failed). Then the authentication sequence might look something like this:
> >
> >Client and server try RSA authentication.
> >
> >Server detects that RSA authentication succeeded but the setuid failed and
> >sets a flag to remember this fact.
> >
> >Server tells client that RSA authentication failed.
> >
> >Client and server try password authentication.
> >
> >Server checks the flag and only allows success if the flag is set. This
> >might be controlled by setting passwordAuthentication to "maybe" instead of
> >the usual "yes" or "no" in sshd_config.
> >
> >The result is that I have typed both a passphrase and a password correctly
> >in order to get in. This means that for any attacks by a listener on the
> >internet, I have the security of RSA authentication--which I believe is
> >better than most passwords. I also have the password needed to make life
> >good (and easy) in the NT world.
> >
> >Do you see any security holes?
> >
> >Would this be of general interest?
>
> Sounds like a question for the openssh mailing list. I doubt that anyone
> here besides Corinna can really answer this.
A few days ago somebody posted a patch into the openssh-unix-dev
mailing list which allows forcing multiple authentication methods.
RSA + Password authentication is just one way then. I don't know
if it will be applied, though.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developer mailto:cygwin AT cygwin DOT com
Red Hat, Inc.
--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple
- Raw text -