Thread: ssh

**-JhAzEr-** · 09-14-2002, 07:56 AM

Is connecting to an ssh server using username and password secure? Are there any more secure way of connecting to an ssh server?

**redhead** · 09-14-2002, 09:06 AM

Everything through an ssh connection is encrypted, even username/password. So I dont see if there should be anything more secure than that..

**-JhAzEr-** · 09-14-2002, 09:45 AM

No possibillity to un-encrypt it?

**redhead** · 09-14-2002, 11:15 AM

Only with the correct keys that the ssh session is using at the exact moment.

**Schotty** · 09-14-2002, 03:15 PM

Trust the SSH. It is your friend. Where others speak too loudly, SSH whispers. SSH is so much more secure than TELNET or RSH, its riduiculous. I literally swear by ssh.

**Compunuts** · 09-16-2002, 03:47 PM

[quote author=-JhAzEr- link=board=5;threadid=4955;start=0#49308 date=1031990183]
Are there any more secure way of connecting to an ssh server?
[/quote]
Use digital authentication keys such as from RSA.

09-18-2002, 03:56 PM

I agree. SSH is the most secure thing for remote logging right now. Trust it and no other...

**-JhAzEr-** · 09-19-2002, 01:51 AM

No such thing as password cracking, like john the ripper does in /etc/passwd?

**kenshi** · 09-20-2002, 01:22 PM

I've never heard of a program that would do it. It would be practically impossible.

09-20-2002, 05:08 PM

This is from man ssh:

Code:

 ssh supports RSA based authentication.
     The scheme is based on public-key cryptography: there are cryptosystems
     where encryption and decryption are done using separate keys, and it is
     not possible to derive the decryption key from the encryption key.  RSA
     is one such system.  The idea is that each user creates a public/private
     key pair for authentication purposes.  The server knows the public key,
     and only the user knows the private key.  The file
     $HOME/.ssh/authorized_keys lists the public keys that are permitted for
     logging in.  When the user logs in, the ssh program tells the server
     which key pair it would like to use for authentication.  The server
     checks if this key is permitted, and if so, sends the user (actually the
     ssh program running on behalf of the user) a challenge, a random number,
     encrypted by the user's public key.  The challenge can only be decrypted
     using the proper private key.  The user's client then decrypts the chal-
     lenge using the private key, proving that he/she knows the private key
     but without disclosing it to the server.

I cant remember, but isnt it either a 128 bit or a 512 bit alphanumeric key?