LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices



Reply
 
Search this Thread
Old 05-03-2009, 09:22 PM   #1
mattydee
Member
 
Registered: Dec 2006
Location: Vancouver, BC
Distribution: Debian
Posts: 462

Rep: Reputation: 39
SSH and clear text passwords


Part of sshd_config reads:
Quote:
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
So are passwords really sent in clear text by default?
Or does this apply only in certain tunneling situations?
 
Old 05-03-2009, 09:37 PM   #2
MS3FGX
Guru
 
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852

Rep: Reputation: 351Reputation: 351Reputation: 351Reputation: 351
Those two lines are commented out, so they do not apply.
 
Old 05-03-2009, 09:40 PM   #3
mattydee
Member
 
Registered: Dec 2006
Location: Vancouver, BC
Distribution: Debian
Posts: 462

Original Poster
Rep: Reputation: 39
Right, but the default is PasswordAuthentication yes

So the question remains...
 
Old 05-03-2009, 10:33 PM   #4
chess
Member
 
Registered: Mar 2002
Location: 127.0.0.1
Distribution: Slackware, OpenBSD, FreeBSD
Posts: 728

Rep: Reputation: 168Reputation: 168
IIRC, the password is sent as clear text through the SSH tunnel, which is an encrypted connection using the host keys, which is what SSL does as well, I believe.

http://www.linuxquestions.org/questi...r-text-475260/
http://www.mail-archive.com/debian-s.../msg23024.html
 
Old 05-03-2009, 10:36 PM   #5
Ilgar
Member
 
Registered: Jan 2005
Location: Istanbul, Turkey
Distribution: Slackware 14.1, Slackware64 14.1
Posts: 930

Rep: Reputation: 96
Quote:
Originally Posted by mattydee View Post
So are passwords really sent in clear text by default?
But wouldn't that be against the whole purpose of SSH? It says tunneled cleartext, so it's still protected by SSH's encryption.
 
Old 05-03-2009, 10:43 PM   #6
mattydee
Member
 
Registered: Dec 2006
Location: Vancouver, BC
Distribution: Debian
Posts: 462

Original Poster
Rep: Reputation: 39
Quote:
Originally Posted by Ilgar View Post
But wouldn't that be against the whole purpose of SSH?
Yes, that was my concern specifically.
So user/passwords are sent encrypted then?
 
Old 05-04-2009, 03:56 AM   #7
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 5,393

Rep: Reputation: Disabled
Passwords are sent in the clear across the encrypted "tunnel" just like chess says. You type your password and those characters are transferred to the remote machine. An outsider will not be able to intercept your password unless he is able to break the encryption, which is highly unlikely.

The purpose of the configuration parameter "PasswordAuthentication" is that you can set it to "No" to enforce the use of private/public key pairs as the only means of authentication instead of passwords.

Eric
 
Old 05-04-2009, 10:09 PM   #8
mattydee
Member
 
Registered: Dec 2006
Location: Vancouver, BC
Distribution: Debian
Posts: 462

Original Poster
Rep: Reputation: 39
Thanks,

The wording just seems really odd to me. Not trying to be fastidious, but just want to understand better.

Do we have 2 hypothetical situations then?

1. we encrypt something, then send the packet(s) out. We say it's encrypted.
2. we send the packets out as is (in clear text) but across an encrypted tunnel.

So if understand correctly, the wording in the ssgd_config file refers to situation 2.
 
Old 05-04-2009, 11:50 PM   #9
chess
Member
 
Registered: Mar 2002
Location: 127.0.0.1
Distribution: Slackware, OpenBSD, FreeBSD
Posts: 728

Rep: Reputation: 168Reputation: 168
Yes. The first situation is what happens when you send a GPG-encrypted email. The email is sent out across the interweb in clear text, but it just so happens that clear text is encrypted and wouldn't make sense to anyone with the appropriate GPG keys. The second situation is what SSH does, which is also how you can tunnel and connect to services over SSH that use clear text passwords, like POP3 and SMTP.
 
Old 05-04-2009, 11:53 PM   #10
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by mattydee
Do we have 2 hypothetical situations then?

1. we encrypt something, then send the packet(s) out. We say it's encrypted.
2. we send the packets out as is (in clear text) but across an encrypted tunnel.
If I had to take a WAG, in this context the hypothetical situations are more like:
  1. We send some other authentication method -- perhaps a hashed/digest password, perhaps a key challenge, etc. -- across an encrypted tunnel; or
  2. We send a password verbatim across an encrypted tunnel.

(#2 still applies to your question.)

Last edited by anomie; 05-04-2009 at 11:55 PM. Reason: reordered list.
 
Old 05-05-2009, 02:15 AM   #11
mattydee
Member
 
Registered: Dec 2006
Location: Vancouver, BC
Distribution: Debian
Posts: 462

Original Poster
Rep: Reputation: 39
Thanks, that clears it up!
 
Old 08-22-2012, 06:15 AM   #12
theblah
LQ Newbie
 
Registered: Jun 2011
Posts: 17

Rep: Reputation: Disabled
Quote:
Originally Posted by Alien Bob View Post
Passwords are sent in the clear across the encrypted "tunnel" just like chess says. You type your password and those characters are transferred to the remote machine. An outsider will not be able to intercept your password unless he is able to break the encryption, which is highly unlikely.

The purpose of the configuration parameter "PasswordAuthentication" is that you can set it to "No" to enforce the use of private/public key pairs as the only means of authentication instead of passwords.

Eric
I know it's a revive, but I am curios about this case also:
If I use "PasswordAuthentication no" and "ChallengeResponseAuthentication yes", and instead of creating a key I enter my password, how will the password be transferred? Still clear text via encryption tunnel?

Last edited by theblah; 08-22-2012 at 08:09 AM.
 
Old 08-22-2012, 11:01 AM   #13
Skaperen
Senior Member
 
Registered: May 2009
Location: WV, USA
Distribution: Slackware, CentOS, Ubuntu, Fedora, Timesys, Linux From Scratch
Posts: 1,777
Blog Entries: 20

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by theblah View Post
I know it's a revive, but I am curios about this case also:
If I use "PasswordAuthentication no" and "ChallengeResponseAuthentication yes", and instead of creating a key I enter my password, how will the password be transferred? Still clear text via encryption tunnel?
PasswordAuthentication is "clear text" in the sense that ChallengeResponseAuthentication is NOT "clear text". Anyone that is looking at what is sent inside the tunnel would see a clear text password in the first choice and not in the second choice. BUT ... getting into the tunnel is HARD to do for other than those who operate at the tunnel ends (strace the ssh process for example). It is all encrypted by SSH's tunnel over the net. The only way they'd know clear text passwords is going on is timing the keystrokes (challenge response will be much faster while password authentication is a few keystrokes depending on password size). I recommend using keys which are passphrase protected.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
.htaccess and clear-text password noir911 Linux - Server 1 05-12-2008 01:55 PM
Passwords sent in clear text? Synesthesia Linux - Security 4 08-19-2006 11:35 AM
phpldapadmin & clear text cookies [GOD]Anck Linux - Security 4 01-31-2005 08:41 AM
If you use secure IMAP, does your password go clear text? cryptosporidium Linux - Security 1 03-25-2004 03:11 AM
clear recent list, edit reopened text file obby Linux - General 0 09-17-2003 09:30 AM


All times are GMT -5. The time now is 11:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration