OpenSSH daemon security bug?

Jefferson Ogata Jefferson.Ogata at noaa.gov
Wed Jan 6 05:48:27 EST 2010


On 2010-01-05 15:21, Mark Janssen wrote:
> The server has no way of knowing if the key had a passphrase (was
> encrypted), as it never sees the private key. The private key is only
> used for authentication/encryption on the client-side.

Actually the server could theoretically determine heuristically if the
key has no passphrase (or if the user is using ssh-agent) by timing the
key transaction. I've often thought it would be useful for sshd to have
an option for requiring that there be a delay before each pubkey
transaction for the purpose of assuring that a passphrase is being typed
on the client side.

Obviously someone could hack the client or agent to work around this,
but it would still help, in my opinion, for particular, interactive-only
situations where people are authenticating from an external origin.

-- 
Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service


More information about the openssh-unix-dev mailing list