SSH is great! However, relying on password based authentication where the end user must decide whether or not to trust a new server crypto fingerprint can leave you open to attack. John Strand has put together an excellent video demonstrating how attackers can capture your SSH V1 and V2 passwords.
How do you fix this? Well, you can teach your users not to accept untrusted keys. Good luck with that. If you do that and it works, please contact me. I want to be your friend. Mere mortals should consider moving to something stronger than simple password based authentication. OpenSSH supports s/key one time passwords, RSA type authentication AND Kerberos!
Content
Capturing SSH V1 & V2 Credentials with a MitM ssh honeypot
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds