[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSH revised

From: Marcus Brinkmann
Subject: Re: SSH revised
Date: Tue, 28 Mar 2006 10:24:28 +0200
User-agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.7 (Sanjō) APEL/10.6 Emacs/21.4 (i486-pc-linux-gnu) MULE/5.0 (SAKAKI)

At Fri, 24 Mar 2006 17:11:28 +0100,
Lluis <address@hidden> wrote:
> El Fri, Mar 24, 2006 at 04:28:03PM +0100, Bas Wijnen ens deleità amb les 
> següents paraules:
> > The easy part is that the system doesn't have access to the encryption 
> > keys. 
> > If the ssh public key was transferred to the user via a separate channel, 
> > the 
> > system cannot snoop the connection.  That's because the user code does the 
> > decryption, the system code only transports the encrypted data.
> well, in current ssh, the session private key is a system-global one

No, the session private key is private to the session.  You may be
confusing it with the host authentication key, which is used to avoid
man in the middle attacks.

> and I don't know the real process, but this can't work if the current ssh 
> clients first handshake on a way to encrypt the session and after that is 
> when the client gives the username and password

Why not?  The session en- and decryption can behandled privately at
the transport layer to and from the user.
> I mean, when the user server gets the connection, it is already encrypted, 
> so unless a re-negotiation of session encryption takes place, any of the 
> programs that handled that connection cap. to the user server could be 
> snooping on it...

"Any of these programs" are exactly the ssh server and the user's own
programs handling the connection.  There is no issue here.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]