Re: AAARRRGGHHH! Re: OT: security of ssh/RSAAuthentication

[Markus Friedl <Markus.Friedl@informatik.uni-erlangen.de>]

On Wed, Jan 10, 2001 at 06:06:16PM +0100, Sebastian Stark wrote:
> Toni Mueller wrote:
> > Well, I need to answer myself:
> > 
> > On Wed, Jan 10, 2001 at 02:08:45PM +0100, Toni Mueller wrote:
> > > When I use RSAAuthentication, how much more or less
> > > secure is this compared to using normal
> > > ssh -l loginname host?
> 
> If you use RSAAuth you also will have the need to supply a username.
> 
> > Answer: Using RSAAuthentication is not more secure than
> > other ways because this demands the usage of protocol
> 
> It is. Look at the current dsniff (http://www.monkey.org/)

this is not at all related to RSAAuthentication.
dsniff's MITM  applies to the authentication of the SERVER to the USER.

> > version 1 which appears to have a small window that
> > allows anyone (in the proper position) to catch the
> > session and snoop on it (so far goes my reading of
> 
> Even if you can snoop around and even if you can guess sequence numbers, you
> don't have the session key.

what sequence numbers?

> But, you're right: If you use ssh-agent and someone takes over your X session,
> there will be such an effect. So, that's the reason why I don't use X over the
> network but rather through an ssh tunnel.

how is the ssh-agent related to the X session?

-markus