password authenticaton secure ?

Sunil K. Vallamkonda sunil at redback.com
Thu Mar 8 06:41:40 EST 2001


My question is regarding the possibility of someone wiretapping the
communication and repeat the action. What if an intruder notice that there's
a secure session starting (by guessing at the dst IP address and
unintelligible payload) and then start capturing all the packets on this
session for the purpose of repeating the whole session again? The secure
user could add/delete interfaces and stuff, therefore just by repeating this
operation the intruder could generate a big problem on the network.

This could be prevented only by having a timestamp. 

Question:

1) Is there any timestamp mechanism on the ssh?

2) Is user's public key (RSA/DSA) method more secure that password
   based authentication (even though the channel itself is encrypted) ? 




Thank you,

Sunil.






More information about the openssh-unix-dev mailing list