Heterogeneous File Sharing Recommendations?

Charles Curley charlescurley at charlescurley.com
Tue Feb 2 21:28:23 MST 2010


On Tue, 2 Feb 2010 23:09:14 -0500 (EST)
Jon Jensen <jon at endpoint.com> wrote:

> On Tue, 2 Feb 2010, Charles Curley wrote:
> 
> > Setting up public key auth is as simple as getting the users'
> > public keys onto the servers so they can log in, and verifying the
> > correct permissions. One public key per user you expect them to use.
> >
> > Using passwords means the passwords are sent over the net using
> > weak or no encryption.
> 
> Is that true? I don't think it is, for ssh. Passwords are always sent
> over the ssh tunnel using the same strong encryption that's used for
> the rest of the ssh conversation. They are as secure against
> 3rd-party snooping as anything else about the ssh session.

You are correct, thank you. I spoke from old or incorrect information.


> 
> The weakness with password authentication is that the server
> receiving the password can be modified to store the plaintext
> password, which if it was used for other accounts or servers, can be
> used to login elsewhere without authorization. Public-key
> cryptography avoids this weakness. Passwords are also much more
> likely to be guessed in a brute-force attack than ssh secret keys
> (aside from the Debian OpenSSL fiasco of 2008!). But the passwords
> are safe enough during transit.

Correct.

-- 

Charles Curley                  /"\    ASCII Ribbon Campaign
Looking for fine software       \ /    Respect for open standards
and/or writing?                  X     No HTML/RTF in email
http://www.charlescurley.com    / \    No M$ Word docs in email

Key fingerprint = CE5C 6645 A45A 64E4 94C0  809C FFF6 4C48 4ECD DFDB



More information about the PLUG mailing list