[OpenAFS] OpenSSH 3.5p1 + ~/.shosts + token passing?
Derek Atkins
derek@ihtfp.com
10 Nov 2002 10:39:55 -0500
steve rader <rader@ginseng.hep.wisc.edu> writes:
> Is there some compelling reason why tokens should be
> passed after auth? I'd rather make new ssh servers
> compatable with existing clients because I'd rather
> not upgrade a bunch of clients.
Tokens are usable by whomever has them. If you pass your token before
you authenticate the server, then you could be passing your token to a
man-in-the-middle or any other third party. Once you do that, they
are effectively YOU until your tokens expire.
This is why the "OLD" protocol was considered insecure. You want to
remove security for convenience??
> steve
-derek
--
Derek Atkins
Computer and Internet Security Consultant
derek@ihtfp.com www.ihtfp.com