LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 08-18-2006, 09:59 PM   #1
Synesthesia
Member
 
Registered: Jan 2004
Location: the abyss
Posts: 205

Rep: Reputation: 30
Passwords sent in clear text?


I was under the understanding that in ssh passwords were never sent in clear text (as in ssl). This is from sshd_config:
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

Does this mean you cant have password authentication if you don't want them sent in clear text?!
 
Old 08-18-2006, 11:10 PM   #2
bulliver
Senior Member
 
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86_64; Gentoo PPC; FreeBSD; OS X 10.9.4
Posts: 3,760
Blog Entries: 4

Rep: Reputation: 77
No. It means you can disable password authentication and use only key-based authentication instead. This way someone trying to connect will not even get a password prompt to try to brute-force unless they have a known key.

Edit: sorry I missed this line:
Quote:
# To disable tunneled clear text passwords, change to no here!
I have no idea why that is in your sshd_config. ssh does _not_ send passwords in plain text. That is the whole point of ssh, to replace old-school programs like rsh that do...

Last edited by bulliver; 08-18-2006 at 11:12 PM.
 
Old 08-18-2006, 11:13 PM   #3
randyding
Member
 
Registered: May 2004
Posts: 552

Rep: Reputation: 31
There's two ways to authenticate, public/private keys or passwords.
By default they are both enabled, you have the option to turn off passwords and that is what PasswordAuthentication does.
If you are authenticating with a password, its still encrypted in the tunnel, I agree the description that says "clear text" is a little misleading. In other words a packet sniffer will not see the password in clear text.
 
Old 08-19-2006, 03:58 AM   #4
Synesthesia
Member
 
Registered: Jan 2004
Location: the abyss
Posts: 205

Original Poster
Rep: Reputation: 30
Wow, thats much more than misleading.... If you are right, then the "clear text" statement is absolutely incorrect.
 
Old 08-19-2006, 11:35 AM   #5
BeesTea
LQ Newbie
 
Registered: Jul 2006
Posts: 1

Rep: Reputation: 0
They did include the word "tunneled" in describing the clear text exchange.

The idea is that your credentials are visible to the sshd as clear text (it's reading them after they come out of the tunnel). There have been multiple instances where miscreants compromise a multi-user system and replace the sshd binary with one that logs those tunneled credentials. Using PKI with SSH makes that no longer possible.

I don't think the warning is misleading, perhaps just too much information for folks not familiar with the workings of ssh.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to clear a std::string buff.clear()? lucky6969b Programming 3 03-17-2006 08:50 AM
phpldapadmin & clear text cookies [GOD]Anck Linux - Security 4 01-31-2005 08:41 AM
Completely uninstalling MySQL and its passwords passwords...how? I locked myself out! Baix Linux - Newbie 2 01-30-2005 05:10 PM
If you use secure IMAP, does your password go clear text? cryptosporidium Linux - Security 1 03-25-2004 03:11 AM
clear recent list, edit reopened text file obby Linux - General 0 09-17-2003 09:30 AM


All times are GMT -5. The time now is 12:17 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration