SSH login Security question


#1

As I’m relatively new to using SSH, I have a question about how passwords are transmitted through the logging in process.

Specifically, using Terminal in OS X 10.3, when I issue the command:

ssh user1@domain1.com

I am prompted for a password for user1, which if entered correctly, appears to log me in to the requested account with a secure shell.

My question is: When does the connection become secure? When the initial SSH command is issued, OR only AFTER the password is submitted?

What I’m getting at here, is whether the password is being sent ‘in the clear’.

Could someone in the know please explain how this works on the DH servers? Thanks.

Also, on a related note, is is possible to turn off FTP and Telnet services (for security reasons) and leave just SSH on?

Cheers,

Jem

P.S. I’ve tried setting up a DSA private/public key pair for use with SSH on DH, and it works fine (no need to enter a password to login in), however programs like MacSFTP seem to still want to request the user password.


#2

ssh doesn’t do anything in the clear; the password is also sent encrypted.


#3

ps - for those using DSA or RSA ssh key authentication with Mac OS X, I highly recommend sshkeychain - http://www.sshkeychain.org/ - a lot of us over here are using it now. Basically, this is a really slick and easy to setup front-end for ssh-agent, so that you can cache the passphrase for your DSA or RSA key.

You can set it to timeout after the screensaver activates, after the system sleeps, etc., and you can even save your passphrase in your OS X keychain if you want.


#4

Will,

Thanks for your response, and the tip about sshkeychain. I’ll give it a look.

Not to be dense, but going back to my original question… am I to understanding from your response that the act of invoking the SSH command creates a secure link even before you are logged in to the server? If that is true, then it would make sense that the requested password would be sent securely prior to actually logging on to a specific user account on the SSH server.

That’s the part, conceptually, that throws me. Since there is no visual feedback (as there is in a web browser when using SSL) it makes me a bit leery… at least until I understand better how this stuff works :}

Cheers,

Jem


#5

An ssh server has a public key and a private key, and the ssh server’s public key is used to encrypt data to it. The ssh client opens a handshake with the server before any data is sent. But yeah - ssh wouldn’t be so much of an improvement over telnet and other cleartext login protocols if the password itself were sent in cleartext.


#6

will said:

[quote]for those using DSA or RSA ssh key authentication

[/quote]

I tried to set up publickey auth on my shell account on vex, it doesnt seem to be working (created authorized_keys with my public key in ~/.ssh/). I created a ticket about this yesterday, and no reply so far. Prehaps you can help me out?