[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AAARRRGGHHH! Re: OT: security of ssh/RSAAuthentication
On Wed, Jan 10, 2001 at 06:06:16PM +0100, Sebastian Stark wrote:
> Toni Mueller wrote:
> > Well, I need to answer myself:
> > On Wed, Jan 10, 2001 at 02:08:45PM +0100, Toni Mueller wrote:
> > > When I use RSAAuthentication, how much more or less
> > > secure is this compared to using normal
> > > ssh -l loginname host?
> If you use RSAAuth you also will have the need to supply a username.
> > Answer: Using RSAAuthentication is not more secure than
> > other ways because this demands the usage of protocol
> It is. Look at the current dsniff (http://www.monkey.org/)
this is not at all related to RSAAuthentication.
dsniff's MITM applies to the authentication of the SERVER to the USER.
> > version 1 which appears to have a small window that
> > allows anyone (in the proper position) to catch the
> > session and snoop on it (so far goes my reading of
> Even if you can snoop around and even if you can guess sequence numbers, you
> don't have the session key.
what sequence numbers?
> But, you're right: If you use ssh-agent and someone takes over your X session,
> there will be such an effect. So, that's the reason why I don't use X over the
> network but rather through an ssh tunnel.
how is the ssh-agent related to the X session?