Ubuntu
openssh package

tunnelled clear text passwords

Bug #677161 reported by Igor
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Invalid
Low
Unassigned

Bug Description

Hi

The ubuntu installation came with my Kubuntu 10.10
contains /etc/ssh/sshd_config file with these lines:

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

Googling with the phrase like "Change to no to disable tunnelled clear text passwords"
shows that many (if not all) recent versions of Ubuntu came with this comment.

Analysis of all available information indicates that this is most likely wrong comment.
This comment tells about sending of passwords unencrypted and it cannot be
understood differently. Is this happening in reality?

"man ssh" says somewhere in the middle of the very long novell,
that it can never happen.

So if this is happening, it should be fixed in order to make it impossible to happen.
If this is not happening, it needs to correct this comment accordingly.

There is also another option "RSAAuthentication",
and it is not clear whether it should be involved to encrypt passwords.

This lack of documentation makes users spend a lot of time.

See discussion here:

http://ubuntuforums.org/showthread.php?t=1621066

Revision history for this message
C de-Avillez (hggdh2) wrote :

Thank you for opening this bug and helping make Ubuntu better.

If I understand you correctly, you are worried about a clear-text (i.e., non-encrypted) passphrase being sent by the SSH client, and that anyone will be able to sniff the channel and grab it.

Please rest assured this is not the case: the keyword (as stated in the Ubuntu Forum entry) is *tunneled*. This means the channel in which the session flows is already encrypted.

As for being clear-text... well, there is not really much option. The passphrase will be hashed and compared to the saved one (under /etc/shadow), and different systems use different processes to perform the hashing.

In fact, the security issue one might have is with the fact that SSH password-based logins are accepted. Ideally, you should only run with public-key encryption.

I am tending to close this bug INVALID, but I will wait your response.

Changed in openssh (Ubuntu):
importance: Undecided → Low
status: New → Incomplete
Revision history for this message
C de-Avillez (hggdh2) wrote :

OP stated, in the Ubuntu Forum, that s/he cannot find how to login to LP and comment here. Given that I already answered the question, I am marking this bug invalid -- the password will be sent in clear-text, but the channel is encrypted (this is the whole idea of SSH, after all).

Changed in openssh (Ubuntu):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.