Re: Proposal: have client CVS send remote username to server CVS

[Derek R. Price]

Noel L Yap wrote:

> [EMAIL PROTECTED] on 2000.07.18 14:05:01
> >> How can an SSH server know that the SSH client hasn't been compromised >and
> is
> >> sending a spoofed username?
> >
> >By requiring the client to send a password known to the server or to >encrypt
> its
> >connection/keys/whatever it is using the proper private key (in other >words, a
> >private key with a corresponding & appropriate public key already known to >the
> >server).
>
> No, this doesn't guarantee it.  For example, if the OpenSSH client sent this
> info over the server, I can build OpenSSH in such a way that it will always send
> the wrong info over.  I'll still have proper keys and everything, but the
> username info will have been spoofed.

But the protocol is standard.  If I already have a user's password and private key,
why should I bother hacking an OpenSSH client?  I could have used any standard SSH
client to obtain the same private information.

Derek

--
Derek Price                      CVS Solutions Architect
mailto:[EMAIL PROTECTED]     OpenAvenue ( http://OpenAvenue.com )
--
HAMLET  Ha, ha!  Are you honest?
OPHELIA  My lord?
HAMLET  Are you fair?
OPHELIA  What means your lordship?
HAMLET  That if you be honest and fair, you honesty
  should admit no discourse to your beauty.

     - Hamlet, Act III, Scene 1, Lines 103-108