SRP Patch Integration?
Tom Wu
tom at arcot.com
Wed Feb 13 13:26:52 EST 2002
Damien Miller wrote:
>
> On Tue, 12 Feb 2002, Tom Wu wrote:
>
> > Markus Friedl wrote:
> > >
> > > On Mon, Feb 11, 2002 at 07:26:16PM -0800, Tom Wu wrote:
> > > > Simply stated, SRP is a strong password authentication protocol that
> > > > resists passive/active network attack, and when used in conjunction with
> > > > OpenSSH, solves the "unknown host key" problem without requiring host
> > > > key fingerprint verification or PKI deployment (e.g. X.509 certs). Put
> > >
> > > AFAIK the same applies to SSH2 w/ pubkey auth.
> >
> > Yes, but doesn't the client need a copy of the encrypted private key
> > somewhere? When you log in from a new location, you need to initialize
> > the credentials there out-of-band. With SRP or any other strong
> > password technology, this isn't necessary - the password itself is the
> > authenticator.
>
> You need to initialise a password out of band too.
Once, on any given server with a strong password mechanism. With pubkey
auth, it seems you would need to initialize the credential out-of-band
for every {client, server} pair. Ordinary users already have enough
trouble with passwords as it is; at least SRP gives them more security
without having to change the way they interact with the system.
> -d
Tom
--
Tom Wu
Principal Software Engineer
Arcot Systems
(408) 969-6124
"The Borg? Sounds Swedish..."
More information about the openssh-unix-dev
mailing list