[Bug 677161] [NEW] tunnelled clear text passwords

Igor 677161 at bugs.launchpad.net
Thu Nov 18 20:06:43 GMT 2010


Public bug reported:

Hi

The ubuntu installation came with my Kubuntu 10.10
contains /etc/ssh/sshd_config file with these lines:

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

Googling with the phrase like "Change to no to disable tunnelled clear text passwords"
shows that many (if not all) recent versions of Ubuntu came with this comment.

Analysis of all available information indicates that this is most likely wrong comment. 
This comment tells about sending of passwords unencrypted and it cannot be 
understood differently.  Is this happening in reality?

"man ssh" says somewhere in the middle of the very long novell,
that it can never happen. 

So if this is happening, it should be fixed in order to make it impossible to happen.
If this is not happening, it needs to correct this comment accordingly.

There is also another option "RSAAuthentication",
and it is not clear whether it should be involved to encrypt passwords.

This lack of documentation makes users spend a lot of time.

See discussion here:

http://ubuntuforums.org/showthread.php?t=1621066

** Affects: openssh (Ubuntu)
     Importance: Undecided
         Status: New

-- 
tunnelled clear text passwords
https://bugs.launchpad.net/bugs/677161
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.



More information about the Ubuntu-server-bugs mailing list