This is the mail archive of the mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: ssh Authentication--RSA/Password

Hi Corinna...

I looked there and I guess that I missed it. Can you give me a specific 
pointer, or something I can get a unique search with? If not, I will track 
it down later.



>From: Corinna Vinschen <>
>Subject: Re: ssh Authentication--RSA/Password
>Date: Thu, 5 Apr 2001 09:58:18 +0200
>On Wed, Apr 04, 2001 at 04:58:41PM -0400, Christopher Faylor wrote:
> > On Wed, Apr 04, 2001 at 01:04:02PM -0700, Karl M wrote:
> > >Hi Corinna and All...
> > >
> > >Consider the following...Suppose sshd were modified so that password
> > >authentication could succeed only if RSA authentication had almost 
> > >(meaning that the RSA authentication itself succeeded but the setuid
> > >failed). Then the authentication sequence might look something like 
> > >
> > >Client and server try RSA authentication.
> > >
> > >Server detects that RSA authentication succeeded but the setuid failed 
> > >sets a flag to remember this fact.
> > >
> > >Server tells client that RSA authentication failed.
> > >
> > >Client and server try password authentication.
> > >
> > >Server checks the flag and only allows success if the flag is set. This
> > >might be controlled by setting passwordAuthentication to "maybe" 
>instead of
> > >the usual "yes" or "no" in sshd_config.
> > >
> > >The result is that I have typed both a passphrase and a password 
> > >in order to get in. This means that for any attacks by a listener on 
> > >internet, I have the security of RSA authentication--which I believe is
> > >better than most passwords. I also have the password needed to make 
> > >good (and easy) in the NT world.
> > >
> > >Do you see any security holes?
> > >
> > >Would this be of general interest?
> >
> > Sounds like a question for the openssh mailing list.  I doubt that 
> > here besides Corinna can really answer this.
>A few days ago somebody posted a patch into the openssh-unix-dev
>mailing list which allows forcing multiple authentication methods.
>RSA + Password authentication is just one way then. I don't know
>if it will be applied, though.
>Corinna Vinschen                  Please, send mails regarding Cygwin to
>Cygwin Developer                      
>Red Hat, Inc.
>Want to unsubscribe from this list?
>Check out:

Get your FREE download of MSN Explorer at

Want to unsubscribe from this list?
Check out:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]