[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DSA-134-1

At 1:01 Uhr +0200 26.06.2002, Christian Jaeger wrote:
(Well, it would be easy if logins are username/password only: if the check for correct username/password is done by process 1, process 2 has to provide them which it can't if the cracker doesn't know them anyway. But since ssh also allows public-key based logins, and I would guess that the key check is done by process 2, it looks different. Sorry if this starts to be OT.)
Replying to myself: even in the case of public-key authentification the work is done in process 1. (Well of course it has to be done there since only process 1 does have access to the public keys :o) There's a link to http://www.citi.umich.edu/u/provos/ssh/privsep.html on www.openssh.org now, which also explains it a bit. (BTW I've noticed that the child process is really just a forked copy of the parent, so both processes do have the same code. (Which is not any risk in itself of course.)) 

Christian.


--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: