SSH authentication bypass?

Joshua Judson Rosen rozzin at geekspace.com
Thu Jun 26 17:21:35 EDT 2014


Tom Buskey <tom at buskey.name> writes:
>
> On Wed, Jun 25, 2014 at 12:08 PM, Joshua Judson Rosen <rozzin at geekspace.com>
> wrote:
>
> > *AHA*--found the answer:
> >
> >     http://article.gmane.org/gmane.network.openssh.general/7446
> >
> > OpenSSH implements "none" auth by trying to authenticate
> > with an empty password.
[...]
> I've created passwordless SSH keys.  That turns it into having a shared
> secret with is better then a blank password IMO.

It's certainly better for some things. Probably even most things.

But if I've already got, for example, the `login shell' on the server
doing its own challenge/response authentication over the encrypted link,
using a one-time password that's with established non-electronic
distribution channel (so none-auth'ing into the account over SSH
doesn't get you an actual shell or anything directly useful, just a
('nother) password prompt)..., then having to also set up a
distribution- channel for SSH keys is a hassle that doesn't necessarily
provide any benefit.

There's a parallel here to the way `secure logins' for the vast majority
of websites work: all of the traffic is encrypted via SSL, but the SSL
layer isn't itself acting as a barrier to the client authenticating; SSL
is just a transport, and something on the other side of the SSL link
manages authentication. It's *possible* to have the SSL layer actually
take responsibility for authenticating the client via an x.509
certificate (which is mostly analogous to an SSH pubkey, for this
discussion); I've used a few services that do that. But can you imagine
if Amazon, GMail, Facebook, Twitter, and every other site that requires
a login did that? On top of also requiring a username/password login?

-- 
"'tis an ill wind that blows no minds."


More information about the gnhlug-discuss mailing list