[OT] ssh security

Lowell Gilbert freebsd-questions-local at be-well.ilk.org
Mon Mar 8 19:19:43 UTC 2010

Angelin Lalev <lalev.angelin at gmail.com> writes:

;2~> On Sun, Mar 7, 2010 at 11:25 PM, Angelin Lalev <lalev.angelin at gmail.com> wrote:
>> Greetings,
>> I'm doing some research into ssh and its underlying cryptographic
>> methods and I have questions. I don't know whom else to ask and humbly
>> ask for forgiveness if I'm way OT.
>> So, SSH uses algorithms like ssh-dss or ssh-rsa to do key exchange.
>> These algorithms can defeat any attempts on eavesdropping, but cannot
>> defeat man-in-the-middle attacks. To defeat them, some pre-shared
>> information is needed - key fingerprint.
>> If hypothetically someone uses instead of the plain text
>> authentication some challenge-response scheme, based on user's
>> password or even a hash of user's password would ssh be able to avoid
>> the need the user to have key fingerprints of the server prior the
>> first connection?
> To clarify, we as users anyway do have shared secret with the server
> and that's the authentication password why we could not use that
> instead of or in addition to a key fingerprint?

Because we don't want to give an attacker access to a shared secret if
we can verify host identity with a public key first.

Lowell Gilbert, embedded/networking software engineer, Boston area

More information about the freebsd-questions mailing list