Jonathan Morton wrote:
>
> >> You can't do this. That's kind of the point about SSH tunnels. If
> >> you could set them up automatically, they would be completely
> >> ineffective at authentication.
> >
> >????
> >
> >I might have misunderstood, I don't use SSH very much, but from an
> >encryption-only standpoint (Using VNC's own authentication, which would go
> >through the SSH tunnel too, so we don't have to worry about the security
> >problems recently posted), SSH should be simple and easy to implement,
> >right?
> >
> >I understand that a lot more may be involved if authentication is the name
> >of the game, but at least for my uses, I only really want/need encryption.
>
> The security advisory posted the other day was about authentication
> vulnerabilities. Hmm. I'd like to see if/how SSH gets around the type of
> attack posted in that advisory...
SSH does its level best never to transmit any data in the clear.
Even the initial authentication exchange is encrypted. The attack
against VNC hinges on the fact that the server transmits the
challenge string in the clear, which gives the man in the middle
some data he can change without upsetting the client or server.
-- Joe Knapka
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
