Making password driven SSH 'immune' to MTM attacks.

[Dave Dykstra]

On Thu, Feb 24, 2000 at 06:22:22PM -0500, Gregory Maxwell wrote:
> The RSA method is good because it doesn't rely on the (frequently
> non)secrecy of passwords. It's primary disadvantage is that using it
> correctly requires a PKI of some form (be it x.509 certs, GPG signed
> copies, manual key population) to be secure. 

I think that's nonsense.  If you personally exchange RSA public keys or
get them from people you know personally there's no reason why it needs
a PKI.  RSA authentication works wonderfully in SSH.  It's hardly any
harder to exchange RSA public keys than to exchange a secret password,
except that the former can't be transmitted over a telephone.

> Unfortuantly, when using passwords with SSH you are fairly
> vulnarable to a Man-in-the-middle attack. SSH provides some basic
> protection against this in the form of saved host keys. Unfortunatly, this
> is insufficent as the network could be comprimised before inital
> connection, and often users will just 'okay' the WARNING message anyways
> because it is falsely triggered so easily.

If you're worried about a compromise before the initial connection then
exchange the public key of the host separately at the same time you
exchange the individual's key.  No big deal.  I rarely run into cases where
there's a reason to be suspicious that early, however.

...
> If we add SRP client code to the OpenSSH client (a small amount of code
> that can be easily audited), and a small modification to the server it
> will make it possible to use SRP to authenticate on hosts that using an
> SRP password file.

That's a worthwhile reason to add SRP support to OpenSSH, but I don't see
much value in enabling SRP if your system doesn't already have an SRP
password file.

- Dave Dykstra