password authenticaton secure ?

Damien Miller djm at
Thu Mar 8 08:36:58 EST 2001

On Wed, 7 Mar 2001, Sunil K. Vallamkonda wrote:

> My question is regarding the possibility of someone wiretapping the
> communication and repeat the action. What if an intruder notice
> that there's a secure session starting (by guessing at the dst IP
> address and unintelligible payload) and then start capturing all
> the packets on this session for the purpose of repeating the whole
> session again? The secure user could add/delete interfaces and
> stuff, therefore just by repeating this operation the intruder could
> generate a big problem on the network.
> This could be prevented only by having a timestamp.

You don't need a timestamp, just random numbers.

> Question:
> 1) Is there any timestamp mechanism on the ssh?


> 2) Is user's public key (RSA/DSA) method more secure that password
>    based authentication (even though the channel itself is encrypted) ?

>From a protocol perspective, yes.


| Damien Miller <djm at> \ ``E-mail attachments are the poor man's
|          /   distributed filesystem'' - Dan Geer

More information about the openssh-unix-dev mailing list