Re: [vox-tech] sshd_config and PasswordAuthentication

To: "lugod's technical discussion forum" <vox-tech@lists.MAPSlugod.org>
Subject: Re: [vox-tech] sshd_config and PasswordAuthentication
From: "Micah J. Cowan" <micah@cowMAPSan.name>
Date: Thu, 7 Jul 2005 10:43:23 -0700
Delivered-to: lugod@livepenguin.com
Delivered-to: vox-tech@livepenguin.com
In-reply-to: <42CD5101.40002@heyjay.com>;from me@heyjay.com on Thu, Jul 07, 2005 at 10:57:53AM -0500
List-archive: <http://ns1.livepenguin.com/pipermail/vox-tech>
List-help: <mailto:vox-tech-request@lists.lugod.org?subject=help>
List-id: lugod's technical discussion forum <vox-tech.lists.lugod.org>
List-post: <mailto:vox-tech@lists.lugod.org>
List-subscribe: <http://lists.lugod.org/mailman/listinfo/vox-tech>,<mailto:vox-tech-request@lists.lugod.org?subject=subscribe>
List-unsubscribe: <http://lists.lugod.org/mailman/listinfo/vox-tech>,<mailto:vox-tech-request@lists.lugod.org?subject=unsubscribe>
References: <42CD34CA.1090208@heyjay.com> <20050707144351.GA6639@houseag.com><42CD5101.40002@heyjay.com>
Reply-to: lugod's technical discussion forum <vox-tech@lists.MAPSlugod.org>
Sender: vox-tech-bounces@lists.luMAPSgod.org
User-agent: Mutt/1.2.5.1i

On Thu, Jul 07, 2005 at 10:57:53AM -0500, Jay Strauss wrote:
> > No, SSH never passes password across the net in cleartext. They are sent to
> > the remote host when using this option, which means that unless you have a
> > different password for each host, a malicious remote administrator could
> > capture your password and then use if to compromise your other accounts.
> 
> Feeling a bit stupid but I still don't understand what you mean
> 
> If I ssh from A to sveasoft - the password is encrypted
> If I then ssh from sveasoft to C - the password is cleartext?

No. The ssh password is always tunneled, but it's tunnelled "cleartext".
This means that a sysadmin at sveasoft could rig their sshd to capture
the cleartext password to a file, and they could then use it at other
sites where you use the same password.

Note that before you ssh'd in, they don't have your password
unencrypted: they have a password hash.

-- 
Micah J. Cowan
micah@cowan.name
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech

Follow-Ups:
- Re: [vox-tech] sshd_config and PasswordAuthentication
  - From: Jay Strauss

References:
- [vox-tech] sshd_config and PasswordAuthentication
  - From: Jay Strauss
- Re: [vox-tech] sshd_config and PasswordAuthentication
  - From: Henry House
- Re: [vox-tech] sshd_config and PasswordAuthentication
  - From: Jay Strauss

Prev by Date: Re: [vox-tech] sshd_config and PasswordAuthentication
Next by Date: Re: [vox-tech] sshd_config and PasswordAuthentication
Previous by thread: Re: [vox-tech] sshd_config and PasswordAuthentication
Next by thread: Re: [vox-tech] sshd_config and PasswordAuthentication
Index(es):
- Date
- Thread

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
1105 Kennedy Place, Suite 1, Davis, CA 95616
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.