SSH authentication bypass?
Joshua Judson Rosen
rozzin at geekspace.com
Thu Jun 26 17:21:35 EDT 2014
Tom Buskey <tom at buskey.name> writes:
>
> On Wed, Jun 25, 2014 at 12:08 PM, Joshua Judson Rosen <rozzin at geekspace.com>
> wrote:
>
> > *AHA*--found the answer:
> >
> > http://article.gmane.org/gmane.network.openssh.general/7446
> >
> > OpenSSH implements "none" auth by trying to authenticate
> > with an empty password.
[...]
> I've created passwordless SSH keys. That turns it into having a shared
> secret with is better then a blank password IMO.
It's certainly better for some things. Probably even most things.
But if I've already got, for example, the `login shell' on the server
doing its own challenge/response authentication over the encrypted link,
using a one-time password that's with established non-electronic
distribution channel (so none-auth'ing into the account over SSH
doesn't get you an actual shell or anything directly useful, just a
('nother) password prompt)..., then having to also set up a
distribution- channel for SSH keys is a hassle that doesn't necessarily
provide any benefit.
There's a parallel here to the way `secure logins' for the vast majority
of websites work: all of the traffic is encrypted via SSL, but the SSL
layer isn't itself acting as a barrier to the client authenticating; SSL
is just a transport, and something on the other side of the SSL link
manages authentication. It's *possible* to have the SSL layer actually
take responsibility for authenticating the client via an x.509
certificate (which is mostly analogous to an SSH pubkey, for this
discussion); I've used a few services that do that. But can you imagine
if Amazon, GMail, Facebook, Twitter, and every other site that requires
a login did that? On top of also requiring a username/password login?
--
"'tis an ill wind that blows no minds."
More information about the gnhlug-discuss
mailing list