[Bug 677161] Re: tunnelled clear text passwords
C de-Avillez
hggdh2 at ubuntu.com
Fri Nov 19 00:18:07 GMT 2010
Thank you for opening this bug and helping make Ubuntu better.
If I understand you correctly, you are worried about a clear-text (i.e.,
non-encrypted) passphrase being sent by the SSH client, and that anyone
will be able to sniff the channel and grab it.
Please rest assured this is not the case: the keyword (as stated in the
Ubuntu Forum entry) is *tunneled*. This means the channel in which the
session flows is already encrypted.
As for being clear-text... well, there is not really much option. The
passphrase will be hashed and compared to the saved one (under
/etc/shadow), and different systems use different processes to perform
the hashing.
In fact, the security issue one might have is with the fact that SSH
password-based logins are accepted. Ideally, you should only run with
public-key encryption.
I am tending to close this bug INVALID, but I will wait your response.
** Changed in: openssh (Ubuntu)
Importance: Undecided => Low
** Changed in: openssh (Ubuntu)
Status: New => Incomplete
--
tunnelled clear text passwords
https://bugs.launchpad.net/bugs/677161
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.
More information about the Ubuntu-server-bugs
mailing list