ssh encryption strength

J. Kyllo jkyllo at u.washington.edu
Sun Feb 6 11:12:55 PST 2000 

Well, setting your display to another machine just sets up a normal tcp/ip
connection using the X protocol.  When ssh connects to a machine, if you
have the settings right and all that, it sets your DISPLAY variable to
something like server.u:10.0.  Basically, sshd acts as an X server on the
server end.  Then, when it receives a connection, it pipes it through it's
encrypted connection to the other side where it is decrypted by the ssh
client and a connection established to the local X server.  I believe that
the nature of the X terms does not allow encryption between the terminal
and the XDM server so if someone can sniff packets there, I think they can
get keystrokes.  I'm not completely clear on the holes in X though.  I
hope that wasn't too confounding...

-Jeff

------------------------------------------------
Help Linux get the device drivers it needs:
http://www.libranet.com/petition.html

On Sun, 6 Feb 2000, R. David Whitlock wrote:

>   OK, I'm going to show my ignorance here, but I'm curious:  What's the
> difference between this and just setting your display to another machine?
> 
>   For example, I'm logged into an xterm, so _everything_ I have on my desk
> is sent by another macine.  Sometimes when I'm in a rush to check my email
> and I want to look at a web page or two, I go to the xterms on the ground
> floor of suzallo and set my display and run netscape off of dante.  I
> never paid attention before,but someone recently showed me XForwarding in
> their .ssh config file.  ( grumble : They're getting rid of these and
> putting in PC's _to check email...  STOOPID  /grumble)
> 
> Later,
>  David
> 
> 
> 
> On Sun, 6 Feb 2000, J. Kyllo wrote:
> 
> > Ahh.  Is it known whether the keylength can be changed?  I'm using ssh's X
> > forwarding which basically listens on the remote (server) side for x apps
> > and encrypts and forwards them across the secure connection.  It's very
> > cool.  I am currently connected through a dial-in connection to a non-uw
> > isp and managed to run Eterm from my Linux box in Haggett through Dante
> > and to my place.  Slow, but it worked!
> > 
> > -Jeff
> > 
> > ------------------------------------------------
> > Help Linux get the device drivers it needs:
> > http://www.libranet.com/petition.html
> > 
> > On Sun, 6 Feb 2000, T. Tam wrote:
> > 
> > > I'm no security expert, but I think SSH 1.27 uses 3DES, 56bit keylength.
> > > I remember someone telling me once that that's rougly equivlaent to 128
> > > bit DES (I don't know why it's not equivalent to 3x56bit...).  So, it is
> > > fairly secure.
> > > 
> > > Now, the question is, what are you forwarding thru ssh?  Are you
> > > forwarding the port that X runs on, or are you just forwarding the magic
> > > cookies for authentication?
> > > 
> > > -=- Terence
> > > 
> > > On Sat, 5 Feb 2000, J. Kyllo wrote:
> > > 
> > > > I was just using the X11 forwarding of SSH and started to think about
> > > > something.  I know the connection is encrypted, but how long is the key
> > > > that's used, i.e. although the cypher might be good, the key should be
> > > > long too.  Something to ponder, anyway.
> > > > 
> > > > Thanks,
> > > > Jeff K.
> > > > 
> > > > ------------------------------------------------
> > > > Help Linux get the device drivers it needs:
> > > > http://www.libranet.com/petition.html
> > > > 
> > > > 
> > > 
> > > 
> > 
> > 
> 
>

More information about the Linux mailing list