LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   SSH and clear text passwords (http://www.linuxquestions.org/questions/slackware-14/ssh-and-clear-text-passwords-723424/)

mattydee 05-03-2009 08:22 PM

SSH and clear text passwords
 
Part of sshd_config reads:
Quote:

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
So are passwords really sent in clear text by default?
Or does this apply only in certain tunneling situations?

MS3FGX 05-03-2009 08:37 PM

Those two lines are commented out, so they do not apply.

mattydee 05-03-2009 08:40 PM

Right, but the default is PasswordAuthentication yes

So the question remains...

chess 05-03-2009 09:33 PM

IIRC, the password is sent as clear text through the SSH tunnel, which is an encrypted connection using the host keys, which is what SSL does as well, I believe.

http://www.linuxquestions.org/questi...r-text-475260/
http://www.mail-archive.com/debian-s.../msg23024.html

Ilgar 05-03-2009 09:36 PM

Quote:

Originally Posted by mattydee (Post 3528978)
So are passwords really sent in clear text by default?

But wouldn't that be against the whole purpose of SSH? It says tunneled cleartext, so it's still protected by SSH's encryption.

mattydee 05-03-2009 09:43 PM

Quote:

Originally Posted by Ilgar (Post 3529007)
But wouldn't that be against the whole purpose of SSH?

Yes, that was my concern specifically.
So user/passwords are sent encrypted then?

Alien Bob 05-04-2009 02:56 AM

Passwords are sent in the clear across the encrypted "tunnel" just like chess says. You type your password and those characters are transferred to the remote machine. An outsider will not be able to intercept your password unless he is able to break the encryption, which is highly unlikely.

The purpose of the configuration parameter "PasswordAuthentication" is that you can set it to "No" to enforce the use of private/public key pairs as the only means of authentication instead of passwords.

Eric

mattydee 05-04-2009 09:09 PM

Thanks,

The wording just seems really odd to me. Not trying to be fastidious, but just want to understand better.

Do we have 2 hypothetical situations then?

1. we encrypt something, then send the packet(s) out. We say it's encrypted.
2. we send the packets out as is (in clear text) but across an encrypted tunnel.

So if understand correctly, the wording in the ssgd_config file refers to situation 2.

chess 05-04-2009 10:50 PM

Yes. The first situation is what happens when you send a GPG-encrypted email. The email is sent out across the interweb in clear text, but it just so happens that clear text is encrypted and wouldn't make sense to anyone with the appropriate GPG keys. The second situation is what SSH does, which is also how you can tunnel and connect to services over SSH that use clear text passwords, like POP3 and SMTP.

anomie 05-04-2009 10:53 PM

Quote:

Originally Posted by mattydee
Do we have 2 hypothetical situations then?

1. we encrypt something, then send the packet(s) out. We say it's encrypted.
2. we send the packets out as is (in clear text) but across an encrypted tunnel.

If I had to take a WAG, in this context the hypothetical situations are more like:
  1. We send some other authentication method -- perhaps a hashed/digest password, perhaps a key challenge, etc. -- across an encrypted tunnel; or
  2. We send a password verbatim across an encrypted tunnel.

(#2 still applies to your question.)

mattydee 05-05-2009 01:15 AM

Thanks, that clears it up!

theblah 08-22-2012 05:15 AM

Quote:

Originally Posted by Alien Bob (Post 3529217)
Passwords are sent in the clear across the encrypted "tunnel" just like chess says. You type your password and those characters are transferred to the remote machine. An outsider will not be able to intercept your password unless he is able to break the encryption, which is highly unlikely.

The purpose of the configuration parameter "PasswordAuthentication" is that you can set it to "No" to enforce the use of private/public key pairs as the only means of authentication instead of passwords.

Eric

I know it's a revive, but I am curios about this case also:
If I use "PasswordAuthentication no" and "ChallengeResponseAuthentication yes", and instead of creating a key I enter my password, how will the password be transferred? Still clear text via encryption tunnel?

Skaperen 08-22-2012 10:01 AM

Quote:

Originally Posted by theblah (Post 4760936)
I know it's a revive, but I am curios about this case also:
If I use "PasswordAuthentication no" and "ChallengeResponseAuthentication yes", and instead of creating a key I enter my password, how will the password be transferred? Still clear text via encryption tunnel?

PasswordAuthentication is "clear text" in the sense that ChallengeResponseAuthentication is NOT "clear text". Anyone that is looking at what is sent inside the tunnel would see a clear text password in the first choice and not in the second choice. BUT ... getting into the tunnel is HARD to do for other than those who operate at the tunnel ends (strace the ssh process for example). It is all encrypted by SSH's tunnel over the net. The only way they'd know clear text passwords is going on is timing the keystrokes (challenge response will be much faster while password authentication is a few keystrokes depending on password size). I recommend using keys which are passphrase protected.


All times are GMT -5. The time now is 04:46 PM.