Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
Date: Wed, 4 Apr 2001 16:58:41 -0400
From: Christopher Faylor <cgf AT redhat DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: ssh Authentication--RSA/Password
Message-ID: <20010404165841.A4546@redhat.com>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <F193Y0VnkB4ltFlmmlQ000014b2 AT hotmail DOT com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.11i
In-Reply-To: <F193Y0VnkB4ltFlmmlQ000014b2@hotmail.com>; from karlm30@hotmail.com on Wed, Apr 04, 2001 at 01:04:02PM -0700

On Wed, Apr 04, 2001 at 01:04:02PM -0700, Karl M wrote:
>Hi Corinna and All...
>
>Consider the following...Suppose sshd were modified so that password 
>authentication could succeed only if RSA authentication had almost succeeded 
>(meaning that the RSA authentication itself succeeded but the setuid 
>failed). Then the authentication sequence might look something like this:
>
>Client and server try RSA authentication.
>
>Server detects that RSA authentication succeeded but the setuid failed and 
>sets a flag to remember this fact.
>
>Server tells client that RSA authentication failed.
>
>Client and server try password authentication.
>
>Server checks the flag and only allows success if the flag is set. This 
>might be controlled by setting passwordAuthentication to "maybe" instead of 
>the usual "yes" or "no" in sshd_config.
>
>The result is that I have typed both a passphrase and a password correctly 
>in order to get in. This means that for any attacks by a listener on the 
>internet, I have the security of RSA authentication--which I believe is 
>better than most passwords. I also have the password needed to make life 
>good (and easy) in the NT world.
>
>Do you see any security holes?
>
>Would this be of general interest?

Sounds like a question for the openssh mailing list.  I doubt that anyone
here besides Corinna can really answer this.

cgf

--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple