Re: AAARRRGGHHH! Re: OT: security of ssh/RSAAuthentication

[Sebastian Stark <seb@gosh.todesplanet.de>]

Toni Mueller wrote:
> Well, I need to answer myself:
> 
> On Wed, Jan 10, 2001 at 02:08:45PM +0100, Toni Mueller wrote:
> > When I use RSAAuthentication, how much more or less
> > secure is this compared to using normal
> > ssh -l loginname host?

If you use RSAAuth you also will have the need to supply a username.

> Answer: Using RSAAuthentication is not more secure than
> other ways because this demands the usage of protocol

It is. Look at the current dsniff (http://www.monkey.org/)

> version 1 which appears to have a small window that
> allows anyone (in the proper position) to catch the
> session and snoop on it (so far goes my reading of

Even if you can snoop around and even if you can guess sequence numbers, you
don't have the session key.

> man sshd). There could, of course, well be some kind
> of domino effect once a host is cracked where users
> have empty passphrases and RSAAuthentication on.

That's why you should protect your private key with more than an empty
passphrase.

But, you're right: If you use ssh-agent and someone takes over your X session,
there will be such an effect. So, that's the reason why I don't use X over the
network but rather through an ssh tunnel.