Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
X-Originating-IP: [211.10.3.231]
From: "Karl M" <karlm30 AT hotmail DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: ssh Authentication--RSA/Password
Date: Sat, 07 Apr 2001 05:17:36 -0700
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F22hgS86aRZlz8OO75z000022cd@hotmail.com>
X-OriginalArrivalTime: 07 Apr 2001 12:17:36.0991 (UTC) FILETIME=[BB7EA6F0:01C0BF5C]

Hi Corinna...

I looked there and I guess that I missed it. Can you give me a specific 
pointer, or something I can get a unique search with? If not, I will track 
it down later.

Thanks,

...Karl


>From: Corinna Vinschen <cygwin AT cygwin DOT com>
>To: cygwin AT cygwin DOT com
>Subject: Re: ssh Authentication--RSA/Password
>Date: Thu, 5 Apr 2001 09:58:18 +0200
>
>On Wed, Apr 04, 2001 at 04:58:41PM -0400, Christopher Faylor wrote:
> > On Wed, Apr 04, 2001 at 01:04:02PM -0700, Karl M wrote:
> > >Hi Corinna and All...
> > >
> > >Consider the following...Suppose sshd were modified so that password
> > >authentication could succeed only if RSA authentication had almost 
>succeeded
> > >(meaning that the RSA authentication itself succeeded but the setuid
> > >failed). Then the authentication sequence might look something like 
>this:
> > >
> > >Client and server try RSA authentication.
> > >
> > >Server detects that RSA authentication succeeded but the setuid failed 
>and
> > >sets a flag to remember this fact.
> > >
> > >Server tells client that RSA authentication failed.
> > >
> > >Client and server try password authentication.
> > >
> > >Server checks the flag and only allows success if the flag is set. This
> > >might be controlled by setting passwordAuthentication to "maybe" 
>instead of
> > >the usual "yes" or "no" in sshd_config.
> > >
> > >The result is that I have typed both a passphrase and a password 
>correctly
> > >in order to get in. This means that for any attacks by a listener on 
>the
> > >internet, I have the security of RSA authentication--which I believe is
> > >better than most passwords. I also have the password needed to make 
>life
> > >good (and easy) in the NT world.
> > >
> > >Do you see any security holes?
> > >
> > >Would this be of general interest?
> >
> > Sounds like a question for the openssh mailing list.  I doubt that 
>anyone
> > here besides Corinna can really answer this.
>
>A few days ago somebody posted a patch into the openssh-unix-dev
>mailing list which allows forcing multiple authentication methods.
>RSA + Password authentication is just one way then. I don't know
>if it will be applied, though.
>
>Corinna
>
>--
>Corinna Vinschen                  Please, send mails regarding Cygwin to
>Cygwin Developer                                mailto:cygwin AT cygwin DOT com
>Red Hat, Inc.
>
>--
>Want to unsubscribe from this list?
>Check out: http://cygwin.com/ml/#unsubscribe-simple
>

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com


--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple