On Tue, Oct 09, 2001 at 08:08:13PM +0200, Gisle S{lensminde wrote:
> The ssh protocol already send passwords as a single block as far as I can
> remember from last time I read the protocol specification. There will
> however be a problem with keystroke timing unless you type a password on
> the machine you log in to. That is if you log in a root "su" or in some
> other way types a password. Now a lot people will do exactly. Most
> sysadmins will not log on remotely directly as root, and so this attack
> will be possible. Other people have sugested to insert random junk
> packets to disrupt such trafic analysis.
>
> There are however several other possible ways to make it hard to get
> useful keystroke timing. One is the one already mentioned, to collect the
> whole password before sending it. That could be done by detecting the
> password terminal mode (which is when the character you type not are
> displayed, like su and telnet and - yes ssh does).
Or if using X (or even gpm?) you can just paste in the password from a
selection. The selection doesn't even need to be visible -- a simple
Tcl/Tk (or similar) script will let you type a (blinded) password and
make the text the default selection. You paste, then clear the
selection.
Regards,
Bill Rugolsky
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
