[OpenAFS] OpenSSH 3.5p1 + ~/.shosts + token passing?

[Derek Atkins]

steve rader <rader@ginseng.hep.wisc.edu> writes:

> Is there some compelling reason why tokens should be
> passed after auth?  I'd rather make new ssh servers
> compatable with existing clients because I'd rather
> not upgrade a bunch of clients.

Tokens are usable by whomever has them.  If you pass your token before
you authenticate the server, then you could be passing your token to a
man-in-the-middle or any other third party.  Once you do that, they
are effectively YOU until your tokens expire.

This is why the "OLD" protocol was considered insecure.  You want to
remove security for convenience??

> steve

-derek

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com