If memory serves me right, Leo Bicknell wrote:
> On Wed, Aug 22, 2001 at 04:30:30PM -0700, Matt Dillon wrote:
> > http://www.vnunet.com/News/1124839
>
> Several people on other mailing lists have pointed out that Nagle
> should make this much harder, although it's unclear how Nagle and
> ssh interact. So far that has resulted in a number of degenerating
> discussions of how things work. Of course, Nagle will not help
> between two machines on the same ethernet segment, but probably
> would make the process described in the paper much harder.
Indeed. They also didn't discuss (or I didn't see it) the effects of
queueing or jitter in the network on their scheme.
This *is* pretty neat, although it is less of a password cracker
than a scheme of narrowing down the space of possible passwords.
> All of this aruges for Kerberos or some other cryptographic system
> so once you're authenticated once there is little or no need to type
> additional passwords.
ssh-agent(1)/ssh-add(1) does all of its authentication locally, so my
extremely naive reading is that it'd be immune to this particular type
of attack, since human-typed passphrases never cross the network.
Bruce.
PGP signature
