[prev in list] [next in list] [prev in thread] [next in thread]
List: secure-shell
Subject: "Re: draft-ietf-secsh-userauth-01.txt"
From: "The Filter of daemon () hauki ! clinet ! fi" <daemon () clinet ! fi>
Date: 1997-03-28 23:43:05
[Download RAW message or body]
-- Begin filtered message --
From owner-ssh Fri Mar 28 23:43:04 1997
Received: (daemon@localhost) by hauki.clinet.fi (8.8.5/8.6.4) id XAA17105 for \
ssh-outgoing; Fri, 28 Mar 1997 23:43:04 +0200 (EET) Received: from \
xyzzy.plugh.edmonton.ab.ca (uucp@xyzzy.plugh.edmonton.ab.ca [198.161.22.2]) by \
hauki.clinet.fi (8.8.5/8.6.4) with SMTP id XAA17095 for <ssh@clinet.fi>; Fri, 28 Mar \
1997 23:42:56 +0200 (EET) Received: (from uucp@localhost) by \
xyzzy.plugh.edmonton.ab.ca (8.6.12/8.6.9) id OAA14789; Fri, 28 Mar 1997 14:42:34 \
-0700 Received: from snouts-gw.obtuse.com(192.168.30.61), claiming to be \
"snouts.obtuse.com" via SMTP by mailhost.plugh.edmonton.ab.ca, id smtpd14787aaa; Fri \
Mar 28 14:42:26 1997 Received: (from beck@localhost) by snouts.obtuse.com \
(8.7.5/8.7.3) id OAA06201; Fri, 28 Mar 1997 14:42:28 -0700 From: Bob Beck \
<beck@obtuse.com> Message-Id: <199703282142.OAA06201@snouts.obtuse.com>
Subject: Re: draft-ietf-secsh-userauth-01.txt
To: tot@Trema.COM (Teemu Torma)
Date: Fri, 28 Mar 1997 14:42:25 -0700 (MST)
Cc: perry@piermont.com, pjnesser@martigny.ai.mit.edu, ssh@clinet.fi
In-Reply-To: <199703281602.RAA28613@baht.labs.trema.com> from "Teemu Torma" at Mar \
28, 97 05:02:48 pm X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-ssh@clinet.fi
Precedence: bulk
Never mind the labouriousness of setting it up, Try the
security for the truly paranoid. While using RSA for user
authentication is definately better than cleartext passwords, I still
have to trust that the remote machine is not compromised or being used
by off-white-hat types with access enough to snarf a user's private
key once they set themselves up to SSH in. I can hand a user an SNK
keycard and then I have a much greater assurance that it is actually
them. For example, if a user is on the road and coming in from public
access machines, I definately do *not* want them setting up or using
SSH with a private key of theirs on this untrusted maching to come
in. I'd far rather be able to allow the encrypted connection of SSH
from "on the road" places, but require my users to use a favorite
flavour of "Captain Crunch Secret Decoder Ring" (OTP device). This
ensures that as long as the user doesn't hand the device to someone
else, compromising a session from the remote machine doesn't give the
person the ablility to come in again. (They can of course hijack the
session while the user is on).
So my answer is, "Yes", I use OTP even though RSA auth is
available.
-Bob
>
> From: "Perry E. Metzger" <perry@piermont.com>
> Date: Fri, 28 Mar 1997 10:25:02 -0500
>
> Do you really think people who have SSH will want to use OTP over RSA
> or similar authentication, given how easy RSA is to use and how
> comparitively laborious OTP is?
>
> RSA authentication requires some installation work before it can be used,
> whereas OTP can be used (at least almost) instantly. If you are going to
> log in only once or twice from some remote site, RSA is overall more
> laborious than OTP.
>
> Teemu
>
-- End of filtered message --
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic