> Ah! (This seems to imply that ssh *doesn't* use strong authentication ;-)
It does, within a limited sense of the term ;-0
> 1) SSH User authentication is probably of broadly similar strength
> to the system he's using. Why isn't he using it? Possibly
Because we OFTEN access our systems from remote sites. We don't trust the
remote sites at all. Sometimes we access from places where SSH isn't
available. Regardless, I don't trust anyone else's system enough to put my
secret key on it (or in memory) for any length of time. This last statement
invalidated every arguement you raised.
SSH RSA keys are cool inside your own network, or using your own laptop to
access remotely. But we deal with a wide variety of systems, and having the
single strong authentication works out nice.
For example, SSH can't help authenticate me using a web browser to update
an internal database from a remote site. Single point of authentication is
a feature! ...but the first idiot who pipes up about opening an SSH session
and piping the session through will get slapped ;-) Sometimes life is too
damn short for games like that.
> It seems he doesn't want to have to authenticate multiple times
> (understandable) but doesn't want to use the mechanism SSH provides
> to avoid this (the ssh-agent connection). In that case, (and assuming
> RSA host authentication is unsuitable which I think it is)
Yes. And ssh-agent just doesn't work if you can't trust the system you are
accessing FROM ...
> needs to be a different mechanism for carrying the files that can be
> automatically associated with the original SSH connection. A thought
> that springs to mind is a pair of processes, one on the client
> machine that listens for a connection from the *local* host only,
> and a command on the server machine to use that process via the
> SSH connection using port forwarding. Or a similar pair set up
> to operate in the other direction. *That* gets the association
> with the original SSH connection and would presumable be covered
> by the original authentication.
...or something similar. I don't see why it would be difficult to design.
I've been tempted to code it myself, but I've got enough on my plate as it
is (as users of Request will point out :-} )
--
Joe Rhett Systems Engineer
[EMAIL PROTECTED] ISite Services
PGP keys and contact information: http://www.noc.isite.net/Staff/
