Re: SSH revised

[Marcus Brinkmann]

At Fri, 24 Mar 2006 16:28:03 +0100,
Bas Wijnen <address@hidden> wrote:
> In fact, it is probably useful to allow the user authenticator to say "don't
> know", meaning the default system authenticator for the (hardware) terminal
> that is used is called, but that's a detail.

I think there should only be one mechanism, not two.  It's easy enough
for the user to run the default "user auth server" that the system
will provide along with all the other default software packages.
 
[Thanks for the much clearer description of the 'terminal assignment' idea]

> > > The system part of the SSH server is of course system code, just like
> > > any other terminal hardware driver.
> > 
> > that seems obvious in retrospect!  I was mainly concerned that a bug in
> > the SSH server wouldn't allow one user's session to observe (or worse,
> > interact in) another users session.  But I think this sort of thing
> > should be easy to guarantee.
> 
> The easy part is that the system doesn't have access to the encryption keys.
> If the ssh public key was transferred to the user via a separate channel, the
> system cannot snoop the connection.  That's because the user code does the
> decryption, the system code only transports the encrypted data.

Uhm.  As far as I understand, the connection is encrypted using a
symmetric cipher that is negotiated with a key exchange protocol at
the transport layer, before authentication.  Only the authentication
uses the public key cryptography.  Is that correct?

To do what you said, you would have to run your own ssh server.  A
good idea anyway!  I like my virtual domain for each user idea.  In
fact, it's only topped by a new idea: The virtual local network for
each user!  Did I mention IPv6?  Yummy!

Thanks,
Marcus