ssh and password authentication

To: debian-security@lists.debian.org
Subject: ssh and password authentication
From: Florent Rougon <florent.rougon@free.fr>
Date: 25 Jun 2002 15:35:19 +0200
Message-id: <[🔎] 87fzzbtrag.fsf@florent.hn.org>

Hi,

I have read several times, including on this list, that password
authentication with ssh does not send the password in clear text (it is
sent in the encrypted tunnel). This is confirmed by the ssh(1) man page:

     If other authentication methods fail, ssh prompts the user for a
     password. The password is sent to the remote host for checking;
     however, since all communications are encrypted, the password
     cannot be seen by someone listening on the network.

But the default sshd_config in the openssh-3.0.2p1 package has a comment
indicating the contrary:

,----
| # To disable tunneled clear text passwords, change to no here!
| PasswordAuthentication yes
`----

and according to that comment, the default setting would be insecure...
I don't believe it, but the comment seems to be a real bug (and an
upstream one, since it also appears in the .orig.tar.gz).

Any thoughts? Thanks.

-- 
Florent


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: ssh and password authentication
  - From: Mark Janssen <maniac@maniac.nl>
- Re: ssh and password authentication
  - From: "Karl E. Jorgensen" <karl@jorgensen.com>

Prev by Date: Re: DSA-134-1
Next by Date: Re: ssh and password authentication
Previous by thread: Re: the openssh exploit
Next by thread: Re: ssh and password authentication
Index(es):
- Date
- Thread