OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: ssh
From: Ryan Permeh (RyanEEYE.COM)
Date: Fri Aug 25 2000 - 11:05:45 CDT

ssh as an encrypted tunnlelling protcol has little to do with how it is
authenticating the tunnel. to make a tunnel, ssh will require
authentication, but the authentication is pretty open and allows for
multiple different ways(user certificate authentication using RSA, password
style auth, and probably any other auth system that could be hacked in
there(kerebos, RSA securid,OPIE one time passwords, etc). The encryption
for the tunnel is negotiated between hosts, with little or no interaction
with the auth process other than authorizing this connection. The hosts
exchange nonces to create a secure session key for the tunnel( i beleive
they are using diffie-hellman for this algorithm, but my crypto is a bit
rusty, read the source if your really curious). This requires both sides to
"trust" the public key of the other side in order to exchange key data.
Onche key is set, it is used to key the symetric algorithm that is
negotiated/selected by the two endpoints. I believe a no encryption
symetric algoritm is availible, but it is supposed to only be used for
testing purposes( i know it is like this in IPSec as well). not all clients
and servers support a NULL encryption algorithm though, so unless someone
tries to force the situation, it will not happen by default.

so, in saying putty doesn't support authentication, you are misleading
things. it doesn't support RSA key authentication. it does support
password authentication.(for both putty and pscp). This may well change
when the RSA patent frees up next month, but since i do not know the author
of putty, this may or may not happen(i think i remember him stating the
patent issue as the main reason it's missing, but i could be mistaken).

i use putty on win32 and have been amazed at the size,speed, openness and
flexibility of the client, and would classify it as one of the best peioces
of freeware availible on win32. i do not know of another scp client
availible on win32, and would perfer straight pscp to using zmodem transfers
any day of the week for scripting purposes, and general useability.

Signed,
Ryan
eEye Digital Security Team
http://www.eEye.com
----- Original Message -----
From: "Ragnar Wisløff" <ragnar.wisloffASKER.ONLINE.NO>
To: <FOCUS-LINUXSECURITYFOCUS.COM>
Sent: Thursday, August 24, 2000 1:02 PM
Subject: ssh

> Hello list members,
>
> I'm looking at ssh and there are a couple of things I'd like to
understand.
>
> 1. Is the channel ssh/sshd sets up for communication always encrypted,
> regardless of the method of authentication? Are there any situations where
such
> a channel might not be encrypted, or would the connection simply not be
set up
> then?
>
> 2. Is the same the case for scp/sshd?
>
> I need a client for both ssh and scp for Win9x/WinNT and have found putty
and
> pscp. There is no authentication in these, which I would ideally like to
have,
> but there might be other clients. Does anyone have experience with others?
The
> commercial ssh package is not an option.
>
>
> --
> Mvh
> Ragnar Wisløff
> --------------
> life is a reach. then you gybe
>