SSH vs encrypted passwords

In comp.os.linux.security Stephan Goeldi <expires.1.12.04@usable.ch>:
> Am Wed, 10 Nov 2004 19:42:18 -0800 schrieb AnthonyM:

>> What makes ssh really powerful is not using the password authentication,
>> but using the public key/private key encryption / authentication. You can
>> use these to authenticate the user as well as the machine you are
>> connecting to.

> You are possibly right, but when a user has the public/private keys stored
> on his laptop, and the laptop is stolen ... then this is worse than
> password authentication.

Not really, use a good pass-phrase while generating your user
keys, you shouldn't enter <return> twice if asked for the
pass-phrase, or this would be possible. With a pass-phrase it
doesn't matter if anyone steals the key, it's worthless.

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 273: The cord jumped over and hit the power switch.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQBBlMK0+gVZmutkHqERAjYfAJ9V6+HqSKAC/ID4VFtz6RCsDSsbYQCfZklO
gbSFbo86OxbD/dBOOx7iQfg=
=Bu+H
-----END PGP SIGNATURE-----

In article <419322d3$0$43451$e4fe514c@news.xs4all.nl>,
Casper H.S. Dik <Casper.Dik@Sun.COM> wrote:

>Lawrence D¹Oliveiro <ldo@geek-central.gen.new_zealand> writes:
>
>>No. The password is never transmitted to the remote system in SSH.
>
>You're wrong. Looking through a "truss" of the ssh server
>it does call crypt() when you use a password authenticated login.
>That means it will have gotten the clear text password (but it's
>send over an encrypted connection)

I see, so all encryption is done starting with the host key
(/etc/ssh/ssh_host_key), not the user's password, as I thought.

>The server has a key which is verified, that's how ssh protects
>against rogue servers.

This, of course, is the real weakness in the way SSH is normally used,
in that people happily accept the offered host key the first time they
log into a machine, instead of installing the host key via some secure
channel.

In article <cmvcs6$egt$1@gemini.csx.cam.ac.uk>,
jc254@newton.cam.ac.uk (Jonathan H N Chin) wrote:

>You elided the reference I gave to the ssh authentication
>protocol specification.

Thanks for that. I understand better now.

>You are correct that a spoofing server could steal the password.
>You are wrong that this means that the password is not sent.
>It is sent and, yes, that is a weakness of the protocol.
>Different protocols (such as SRP that I mentioned earlier,
>and even some of the other ssh authentication methods) do protect
>against this kind of "snooping".

As I understand it, SRP separates things to the extent that the secret
known to the server is slightly less sensitive than that known to the
client: the former can be determined from the latter, but not the other
way round. Thus, if anyone breaks into the server and steals the secret
kept there, it only allows them to impersonate the server, not the
client.

> This, of course, is the real weakness in the way SSH is normally used,
> in that people happily accept the offered host key the first time they
> log into a machine, instead of installing the host key via some secure
> channel.

If you use RSA authentication this isn't a problem. You put the public
keys of the authorized users into an authorized_keys file (I put mine in
/etc/ssh/authorized_keys, the default is ~/.ssh/authorized_keys) and
require RSA authorization.

In article <pan.2004.11.15.14.13.28.55762@yahoo.com>,
General Schvantzkoph <schvantzkoph@yahoo.com> wrote:

>> This, of course, is the real weakness in the way SSH is normally used,
>> in that people happily accept the offered host key the first time they
>> log into a machine, instead of installing the host key via some secure
>> channel.
>
>If you use RSA authentication this isn't a problem.

Well, no, it still is a problem, because you don't eliminate the chance
of a man-in-the-middle attack at the point of obtaining the host's
public key.

On Tue, 16 Nov 2004 13:26:40 +1300, Lawrence D¹Oliveiro wrote:

> In article <pan.2004.11.15.14.13.28.55762@yahoo.com>,
> General Schvantzkoph <schvantzkoph@yahoo.com> wrote:
>
>>> This, of course, is the real weakness in the way SSH is normally used,
>>> in that people happily accept the offered host key the first time they
>>> log into a machine, instead of installing the host key via some secure
>>> channel.
>>
>>If you use RSA authentication this isn't a problem.
>
> Well, no, it still is a problem, because you don't eliminate the chance
> of a man-in-the-middle attack at the point of obtaining the host's
> public key.

A man in the middle attack is a theoretical possibility but not something
that anyone except the NSA needs to worry about. But if you are
sufficiently security conscious that you want to eliminate any possibility
of a man the middle attack problem just confirm the public key before you
use it, i.e. I send you my public key, you phone me and read back enough
digits to confirm that you got the right key. It doesn't matter if someone
intercepted the public key and it doesn't matter if someone is
eavesdropping on the phone call because the public key isn't secret. The
only thing that matters is that you know that the provenance of the public
key.