On Tue, Jun 25, 2002 at 03:35:19PM +0200, Florent Rougon wrote: > Hi, > > I have read several times, including on this list, that password > authentication with ssh does not send the password in clear text (it is > sent in the encrypted tunnel). This is confirmed by the ssh(1) man page: > > If other authentication methods fail, ssh prompts the user for a > password. The password is sent to the remote host for checking; > however, since all communications are encrypted, the password > cannot be seen by someone listening on the network. > > But the default sshd_config in the openssh-3.0.2p1 package has a comment > indicating the contrary: > > ,---- > | # To disable tunneled clear text passwords, change to no here! > | PasswordAuthentication yes > `---- > > and according to that comment, the default setting would be insecure... The keyword is "tunneled clear text" - i.e. it *is* clear text. But it's inside the ssh tunnel (which happens to be encrypted). > I don't believe it, but the comment seems to be a real bug (and an > upstream one, since it also appears in the .orig.tar.gz). I agree the way it is phrased in /etc/ssh/sshd_config is slighly confusing though; perhaps a wishlist bug is in order? -- Karl E. Jørgensen karl@jorgensen.com www.karl.jorgensen.com ==== Today's fortune: The moon may be smaller than Earth, but it's further away.
Attachment:
pgp2Q3owseXUT.pgp
Description: PGP signature