I all you want is a secure login, see Kerboros.
> -----Original Message-----
> From: David Bishop [mailto:[EMAIL PROTECTED]]
> Sent: Monday, February 05, 2001 9:46 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Can SSH be used just for encrypted
> authentication and then
> let the rest of the session be unencrypted ?
>
>
>
> On Mon, 5 Feb 2001 08:28:14 +0100, Åsmund Skjæveland said:
>
> > > Well, to replicate what I assume a lot of people here do
> (i.e., maintain web
> > > servers/ftp servers) it is crucial that you limit who
> can upload to the
> > > machine, but not who sees what is *on* the machine. So
> the fact that I'm
> > > uploading a new index.html to my machine isn't sensitive
> at all, anyone who
> > > goes to my box can see that. However, I obviously don't
> want just anyone to
> > > be able to upload to my machine. To be honest, that is
> a *lot* more common
> > > for me than having actual sensitive data. If I didn't
> know that it would be
> > > taken advantage of by script kiddies and idiots, I would
> open up my whole
> > > machine to the 'net, cuz I frankly have nothing on there
> that I care if
> > > anyone else sees. It's just limiting who can *change*
> it that I care about.
> >
> > In other words, you don't want anyone to be able to
> intercept and modify the
> > datastream, and so the data are sensitive.
>
> Um, I have *never* as in *never* had a man-in-the-middle
> attack aimed at me
> or at anyone that I have ever spoken with. And before I get
> a flood of
> "Well, my cousin did!" emails, I'm not saying it has never
> happened, it's
> just not a common way of cracking a system. OTOH, packet
> sniffers are so
> common, and scipt kiddies so prevalent, I *know* that every
> time I send my
> user/pass combo in plaintext, someone is logging it
> somewhere. That,
> combined with the latency issues that the list has been
> discussing lately
> when using scp with good encryption, makes me wish that there
> was a way to
> encrypt the authentication portion but not the actual data
> transfer. I don't
> think that is such a bad thing, and it's probably a fairly
> common desire.
> And since I know that there will be people out there
> (probably you, Asmund
> ;-) who are horrified at the thought of not encrypting
> everything and always
> taking the most precautions availble, I'll just say that we
> don't agree and
> leave it at that. 'Kay? :-)
>
> HAND,
>
> D.A.Bishop
>
