[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh authentication configuration?

Hi Joshua,

There should be no problem with using PasswordAuthentication with SSH
since the passwords are _NOT_ sent in the clear.  Rather, the "clear
text" password is sent over the encrypted channel.  From the SSH(1) man
page:

  The password is sent to the remote host for checking; however, since
  all communications are encrypted, the password cannot be seen by
  someone listening on the network.

Patrick

On Wed, May 29, 2002 at 09:58:00AM +1000, Joshua Goodall wrote:
> Stephen,
> 
> On Tue, May 28, 2002 at 05:51:02PM -0700, Stephen Johnson wrote:

[snip]

> > i've always disabled clear text passwords(PasswordAuthentication no),
> > and turn on pam auth (PAMAuthenticationViaKbdInt yes).  That's always

[snip] 

> I'll assume you're using openssh version 3.x that's in the
> debian/testing distribution.
> 
> The password will still be sent in the clear; there is a difference in
> the way the server handles it (that is, it palms off to PAM the
> responsibility of letting you in) and a difference in the way the
> client negotiates (iirc it's nonfunctional if the client doesn't request
> keyboard-interactive negotiation).


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: