Openssh for Windows
Darren Tucker
dtucker at zip.com.au
Wed Jul 30 23:26:14 EST 2008
Corinna Vinschen wrote:
> On Jul 29 14:00, Jim Knoble wrote:
>> Circa 2008-07-29 06:08 dixit Corinna Vinschen:
>> : Actually, if we wanted to, we could easily do the same. But I'm still
>> : feeling rather uncomfortable with the idea to have two-way encrypted
>> : password stored somewhere in the system.
>>
>> You could encrypt the user's password using the user's SSH public key.
>> Then the private key could be used to both authenticate and decrypt the
>> password. It's a bit cumbersome if there are more than a few keypairs
>> used to access the account, but ... just a thought.
>
> That's an interesting idea but the problem is that the user context
> change is generic code buried within the seteuid call. It has to work
> with all sorts of applications changing the user context, not just with
> sshd. Therefore, a generic solution is required.
>
> I'm not overly encryption savvy. Is it at all possible to store a
> two-way encrypted password in a safe way, using a known encryption
> mechanism, storing it in a known location? Even if another key is used
> on every machine?
I don't think it's feasible from a protocol perspective; for ssh v2 the
server never has access to the corresponding private key, only a chunk
of data provided by the client that's signed with the private key (said
chunk of data containing amongst other things a session id and the user
name).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list