recent breakins

Tom Holroyd tomh at po.crl.go.jp
Fri Jun 1 18:52:50 EST 2001


On Fri, 1 Jun 2001, Gert Doering wrote:

> On Fri, Jun 01, 2001 at 11:24:49AM +0900, Tom Holroyd wrote:
> > But what about multiple links?  It should be possible to forward
> > authentication requests back to the user's keyboard.  The SRP protocol can
> > be forwarded over any number of links, *even through a trojaned ssh*
> > without revealing any information that a cracker can use.
>
> Same with agent forwarding and using RSAAuthentication.

True.  Too bad the guy wasn't using it.  Why wasn't he using it?

Perhaps OpenSSH should simply disallow password authentication?

This type of man-in-the-middle attack (trojaned ssh) is not theoretical
anymore, and password authentication is broken.


The question is, can password authentication be (securely) forwarded?  If
not, then we really should remove password authentication as an option.




More information about the openssh-unix-dev mailing list