&gt; An article and script describing how to snoop on an SSH session and<br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">
&gt; recover the username and password... this would be one of a number of<br>
&gt; reasons why the WLUG server only allows key-based authentication. ;)<br>
<br>
</div>Hmm - it seems that once again it is proved that security only keeps<br>
honest people out!<br>
<div><div></div></div></blockquote><div><br>Not at all; this article shows how far SSH raises the bar. It&#39;s only possible to recover passwords this way if you already have root access on the box being SSHed into, as opposed to telnet where anyone along the path can trivially capture packets. And if you&#39;re using key-based authentication (as hoiho does) the only thing sent to the server is a one-time random challenge which cannot be reused for any subsequent login. <br>
<br>It&#39;s impressive that SSH can provide security to the point that even the admins of the box you&#39;re connecting to (or a malicious attacker who&#39;s gained root access) can only authenticate you, but don&#39;t get given enough information to impersonate you on other servers where you&#39;re using the same key pair.<br>
<br><br>-- <br></div></div>This email is for the intended recipient only. If you are not the intended recipient you must burn your computer, while standing on one foot and chanting the entire jabberwocky.<br>The opinions expressed here are not necessarily the opinions of the person who expressed them.<br>
<br><br>