Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT sources DOT redhat DOT com Delivered-To: mailing list cygwin AT sources DOT redhat DOT com X-Originating-IP: [211.10.3.231] From: "Karl M" To: cygwin AT cygwin DOT com Subject: Re: ssh Authentication--RSA/Password Date: Sat, 07 Apr 2001 05:17:36 -0700 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 07 Apr 2001 12:17:36.0991 (UTC) FILETIME=[BB7EA6F0:01C0BF5C] Hi Corinna... I looked there and I guess that I missed it. Can you give me a specific pointer, or something I can get a unique search with? If not, I will track it down later. Thanks, ...Karl >From: Corinna Vinschen >To: cygwin AT cygwin DOT com >Subject: Re: ssh Authentication--RSA/Password >Date: Thu, 5 Apr 2001 09:58:18 +0200 > >On Wed, Apr 04, 2001 at 04:58:41PM -0400, Christopher Faylor wrote: > > On Wed, Apr 04, 2001 at 01:04:02PM -0700, Karl M wrote: > > >Hi Corinna and All... > > > > > >Consider the following...Suppose sshd were modified so that password > > >authentication could succeed only if RSA authentication had almost >succeeded > > >(meaning that the RSA authentication itself succeeded but the setuid > > >failed). Then the authentication sequence might look something like >this: > > > > > >Client and server try RSA authentication. > > > > > >Server detects that RSA authentication succeeded but the setuid failed >and > > >sets a flag to remember this fact. > > > > > >Server tells client that RSA authentication failed. > > > > > >Client and server try password authentication. > > > > > >Server checks the flag and only allows success if the flag is set. This > > >might be controlled by setting passwordAuthentication to "maybe" >instead of > > >the usual "yes" or "no" in sshd_config. > > > > > >The result is that I have typed both a passphrase and a password >correctly > > >in order to get in. This means that for any attacks by a listener on >the > > >internet, I have the security of RSA authentication--which I believe is > > >better than most passwords. I also have the password needed to make >life > > >good (and easy) in the NT world. > > > > > >Do you see any security holes? > > > > > >Would this be of general interest? > > > > Sounds like a question for the openssh mailing list. I doubt that >anyone > > here besides Corinna can really answer this. > >A few days ago somebody posted a patch into the openssh-unix-dev >mailing list which allows forcing multiple authentication methods. >RSA + Password authentication is just one way then. I don't know >if it will be applied, though. > >Corinna > >-- >Corinna Vinschen Please, send mails regarding Cygwin to >Cygwin Developer mailto:cygwin AT cygwin DOT com >Red Hat, Inc. > >-- >Want to unsubscribe from this list? >Check out: http://cygwin.com/ml/#unsubscribe-simple > _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com -- Want to unsubscribe from this list? Check out: http://cygwin.com/ml/#unsubscribe-simple