Mailing-List: contact cygwin-help@sourceware.cygnus.com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe@sources.redhat.com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin@sources.redhat.com>
List-Help: <mailto:cygwin-help@sources.redhat.com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner@sources.redhat.com
Delivered-To: mailing list cygwin@sources.redhat.com
Date: Thu, 5 Apr 2001 09:58:18 +0200
From: Corinna Vinschen <cygwin@cygwin.com>
To: cygwin@cygwin.com
Subject: Re: ssh Authentication--RSA/Password
Message-ID: <20010405095818.L956@cygbert.vinschen.de>
Mail-Followup-To: cygwin@cygwin.com
References: <F193Y0VnkB4ltFlmmlQ000014b2@hotmail.com> <20010404165841.A4546@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010404165841.A4546@redhat.com>; from cgf@redhat.com on Wed, Apr 04, 2001 at 04:58:41PM -0400

On Wed, Apr 04, 2001 at 04:58:41PM -0400, Christopher Faylor wrote:
> On Wed, Apr 04, 2001 at 01:04:02PM -0700, Karl M wrote:
> >Hi Corinna and All...
> >
> >Consider the following...Suppose sshd were modified so that password 
> >authentication could succeed only if RSA authentication had almost succeeded 
> >(meaning that the RSA authentication itself succeeded but the setuid 
> >failed). Then the authentication sequence might look something like this:
> >
> >Client and server try RSA authentication.
> >
> >Server detects that RSA authentication succeeded but the setuid failed and 
> >sets a flag to remember this fact.
> >
> >Server tells client that RSA authentication failed.
> >
> >Client and server try password authentication.
> >
> >Server checks the flag and only allows success if the flag is set. This 
> >might be controlled by setting passwordAuthentication to "maybe" instead of 
> >the usual "yes" or "no" in sshd_config.
> >
> >The result is that I have typed both a passphrase and a password correctly 
> >in order to get in. This means that for any attacks by a listener on the 
> >internet, I have the security of RSA authentication--which I believe is 
> >better than most passwords. I also have the password needed to make life 
> >good (and easy) in the NT world.
> >
> >Do you see any security holes?
> >
> >Would this be of general interest?
> 
> Sounds like a question for the openssh mailing list.  I doubt that anyone
> here besides Corinna can really answer this.

A few days ago somebody posted a patch into the openssh-unix-dev
mailing list which allows forcing multiple authentication methods.
RSA + Password authentication is just one way then. I don't know
if it will be applied, though.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple