This is the mail archive of the
mailing list for the Cygwin project.
Re: ssh Authentication--RSA/Password
- To: cygwin at cygwin dot com
- Subject: Re: ssh Authentication--RSA/Password
- From: Christopher Faylor <cgf at redhat dot com>
- Date: Wed, 4 Apr 2001 16:58:41 -0400
- References: <F193Y0VnkB4ltFlmmlQ000014b2@hotmail.com>
- Reply-To: cygwin at cygwin dot com
On Wed, Apr 04, 2001 at 01:04:02PM -0700, Karl M wrote:
>Hi Corinna and All...
>Consider the following...Suppose sshd were modified so that password
>authentication could succeed only if RSA authentication had almost succeeded
>(meaning that the RSA authentication itself succeeded but the setuid
>failed). Then the authentication sequence might look something like this:
>Client and server try RSA authentication.
>Server detects that RSA authentication succeeded but the setuid failed and
>sets a flag to remember this fact.
>Server tells client that RSA authentication failed.
>Client and server try password authentication.
>Server checks the flag and only allows success if the flag is set. This
>might be controlled by setting passwordAuthentication to "maybe" instead of
>the usual "yes" or "no" in sshd_config.
>The result is that I have typed both a passphrase and a password correctly
>in order to get in. This means that for any attacks by a listener on the
>internet, I have the security of RSA authentication--which I believe is
>better than most passwords. I also have the password needed to make life
>good (and easy) in the NT world.
>Do you see any security holes?
>Would this be of general interest?
Sounds like a question for the openssh mailing list. I doubt that anyone
here besides Corinna can really answer this.
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple