Disabling Password-based auth? (was RE: recent breakins)

Markus Friedl Markus.Friedl at informatik.uni-erlangen.de
Sat Jun 2 00:10:34 EST 2001

On Fri, Jun 01, 2001 at 06:59:13AM -0700, Jason Stone wrote:
> That's exactly the point of SRP (well, one of the points) - it takes care
> of that - even if the host in the middle has been compromised and the
> attacker is sniffing all the ttys or something

but the attack involved trojan ssh clients, so SRP does not
help at all, whereas agent forwarded pubkey auth would have
improved the situtations for the 'victims'.


More information about the openssh-unix-dev mailing list