[OT] ssh security

Noel Jones noeldude at gmail.com
Mon Mar 8 20:27:46 UTC 2010

On Sun, Mar 7, 2010 at 3:25 PM, Angelin Lalev <lalev.angelin at gmail.com> wrote:
> Greetings,
> I'm doing some research into ssh and its underlying cryptographic
> methods and I have questions. I don't know whom else to ask and humbly
> ask for forgiveness if I'm way OT.
> So, SSH uses algorithms like ssh-dss or ssh-rsa to do key exchange.
> These algorithms can defeat any attempts on eavesdropping, but cannot
> defeat man-in-the-middle attacks. To defeat them, some pre-shared
> information is needed - key fingerprint.
> If hypothetically someone uses instead of the plain text
> authentication some challenge-response scheme, based on user's
> password or even a hash of user's password would ssh be able to avoid
> the need the user to have key fingerprints of the server prior the
> first connection?

Hypothetically, SSH could use a zero-knowledge authentication method
such as SRP[1].  Until new code is written for ssh to take advantage
of something like this, we're stuck with what's available.

  -- Noel Jones

[1] http://srp.stanford.edu/

More information about the freebsd-questions mailing list