password authenticaton secure ?

Damien Miller djm at mindrot.org
Thu Mar 8 08:36:58 EST 2001


On Wed, 7 Mar 2001, Sunil K. Vallamkonda wrote:

>
> My question is regarding the possibility of someone wiretapping the
> communication and repeat the action. What if an intruder notice
> that there's a secure session starting (by guessing at the dst IP
> address and unintelligible payload) and then start capturing all
> the packets on this session for the purpose of repeating the whole
> session again? The secure user could add/delete interfaces and
> stuff, therefore just by repeating this operation the intruder could
> generate a big problem on the network.
>
> This could be prevented only by having a timestamp.

You don't need a timestamp, just random numbers.

> Question:
>
> 1) Is there any timestamp mechanism on the ssh?

No.

> 2) Is user's public key (RSA/DSA) method more secure that password
>    based authentication (even though the channel itself is encrypted) ?

>From a protocol perspective, yes.

-d

-- 
| Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org          /   distributed filesystem'' - Dan Geer






More information about the openssh-unix-dev mailing list