TLUG Mailing List

Mailing List Archive
Support open source code!
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
tlug: Secure Remote Password (SRP) opinions?

To: tlug@example.com

Subject: tlug: Secure Remote Password (SRP) opinions?

From: "Stephen J. Turnbull" <turnbull@example.com>

Date: Mon, 6 Dec 1999 18:53:52 +0900 (JST)

Content-Transfer-Encoding: 7bit

Content-Type: text/plain; charset=us-ascii

In-Reply-To: <19991206175715.A27878@example.com>

References: <19991206175715.A27878@example.com>

Reply-To: tlug@example.com

Sender: owner-tlug@example.com
>>>>> "Jim" == Jim Tittsler <jwt-tlug@example.com> writes:

    Jim> Is anyone using the Stanford SRP authentication standard?
    Jim> Any opinions (or pointers to reviews)?  The PAM module looks
    Jim> enticingly convenient.  .. http://srp.stanford.edu/srp/

At a glance it looks pretty good.  Still ssh is probably to be
preferred unless you have a way to get the encrypted versions.

The problem is cascading logins.  I rarely pay attention to how deep
my remote sessions are nested; of course, if I were using telnet,
every time I log in to a new computer from a nested session, a
plaintext password would go across the net as part of the unencrypted
telnet session---even if I were using srp-telnet on all hosts and thus
the authentication procedure itself were secure at the TCP/IP level.

This kind of attack would be more difficult than simply sniffing for
standard telnet logins, but could be done fairly inexpensively, I
think.  On the other hand, for typical users, who only log in from a
local terminal to one remote host, there'd be nothing to see, except
in the rare case of trying to log in again by mistake, so it should
work fine.

I've forwarded to Steve Baur; if he has a comment, I'll pass it on to
the list.

-- 
University of Tsukuba                Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
Institute of Policy and Planning Sciences       Tel/fax: +81 (298) 53-5091
_________________  _________________  _________________  _________________
What are those straight lines for?  "XEmacs rules."
-------------------------------------------------------------------
Next Nomikai: December 17 (Fri), 20:00 Tengu TokyoEkiMae 03-3275-3691
Next Technical Meeting: January 14 (Fri) 19:00
* Topic: "glibc - current status and future developments"
* Guest Speaker: Ulrich Drepper (Cygnus Solutions)
* Place: Oracle Japan HQ 12F Seminar Room (New Otani Garden Court)
-------------------------------------------------------------------
more info: http://www.tlug.gr.jp        Sponsor: Global Online Japan
References:

tlug: Secure Remote Password (SRP) opinions?
From: Jim Tittsler <jwt-tlug@example.com>

Prev by Date: tlug: Secure Remote Password (SRP) opinions?

Next by Date: Re: tlug: EXT2-fs warning

Prev by thread: tlug: Secure Remote Password (SRP) opinions?

Next by thread: tlug: CD burner

Index(es):

Date

Thread

Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links