password authenticaton secure ?
Damien Miller
djm at mindrot.org
Thu Mar 8 08:36:58 EST 2001
On Wed, 7 Mar 2001, Sunil K. Vallamkonda wrote:
>
> My question is regarding the possibility of someone wiretapping the
> communication and repeat the action. What if an intruder notice
> that there's a secure session starting (by guessing at the dst IP
> address and unintelligible payload) and then start capturing all
> the packets on this session for the purpose of repeating the whole
> session again? The secure user could add/delete interfaces and
> stuff, therefore just by repeating this operation the intruder could
> generate a big problem on the network.
>
> This could be prevented only by having a timestamp.
You don't need a timestamp, just random numbers.
> Question:
>
> 1) Is there any timestamp mechanism on the ssh?
No.
> 2) Is user's public key (RSA/DSA) method more secure that password
> based authentication (even though the channel itself is encrypted) ?
>From a protocol perspective, yes.
-d
--
| Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org / distributed filesystem'' - Dan Geer
More information about the openssh-unix-dev
mailing list