Re: ssh

From: Jose Nazario (joseat_private)
Date: Wed Feb 06 2002 - 12:43:29 PST

Next message: Jose Nazario: "Re: ssh"

Previous message: TWyrickat_private: "Re: chaging your @home IP address... could you take a bunch ofthe m....probably... could you get something from it...maybe"
In reply to: -l0rt-: "ssh"
Next in thread: -l0rt-: "Re: ssh"
Next in thread: Jose Nazario: "Re: ssh"
Reply: -l0rt-: "Re: ssh"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 6 Feb 2002, -l0rt- wrote:

> 	When using password auth, how difficult would it be for someone
> to sniff my connection and extract/crack my password? I only ask
> because someone mentioned that it would not be too difficult.  What
> are the primary differences between password auth and pubkey? Is using
> password auth really that much less secure?  Please give me the
> details..

i covered these topics in a recent linux journal piece i wrote:

http://www.linuxjournal.com/article.php?sid=5672

briefly:

o password recovery from password authentication
  http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt

in a nutshell, the exact length of the password used in SSH-1.5 (protocol)
can be observed by an eavesdropper. then, using a password cracker, they
can improve tehir efficiency and speed things up by a factor of 50 at the
outside. note that this isn't terribly huge if you have a strong password,
but it can be noticable. secondly, this doesn't affect SSH-2 (the
protocol).

o differences between password and public key auth

ssh can use DSA or RSA keys for authentication. the client sends, rather
than a password, a reply encrypted with your private key, which your
public key (which the server has been told about by you) can decrypt. you
are now verified, as only your key could have done that. these keys are
protected on your system, typically, by using a passphrase.

a great discussion of how to do this is:

	http://www-106.ibm.com/developerworks/library/l-keyc.html

to compare these two methods of authentication, password and public key,
is pretty simple in many respects. first, the search space for passwords
is significantly smaller than that for ssh RSA/DSA keypairs. secondly, you
can protect your ssh identity with longer passphrases, which are typically
stronger, all things being equal. the risk here is a compromise of your
host to capture the key (either an unprotected key or a capture of your
passphrase or a capture of the stored key in your agent). good host
security will help protect against this.

in a nutshell, look at public key authentication using SSH-2 (not
SSH-1.5), as i discuss in my LJ piece (where i looked at the attacks in
the year 2001 against the ssh toolset and make some reccomendations),
written to answer these kinds of questions.

all the best,

____________________________
jose nazario						     joseat_private
	      	     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
				       PGP key ID 0xFD37F4E5 (pgp.mit.edu)

Next message: Jose Nazario: "Re: ssh"
Previous message: TWyrickat_private: "Re: chaging your @home IP address... could you take a bunch ofthe m....probably... could you get something from it...maybe"
In reply to: -l0rt-: "ssh"
Next in thread: -l0rt-: "Re: ssh"
Next in thread: Jose Nazario: "Re: ssh"
Reply: -l0rt-: "Re: ssh"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 06 2002 - 12:57:08 PST