Security Basics mailing list archives
RE: sshd for windows
From: "Chris Berry" <compjma () hotmail com>
Date: Fri, 20 Jun 2003 12:02:53 -0700
From: "Depp, Dennis M." <deppdm () ornl gov> NTLMv2 is an encryption method. (Granted it is weak, but it still is encrypted.) By default, Microsoft Telnet uses NTLM to encrypt the password. This means the only client that can access the server is the Microsoft telnet that comes with Windows 2000. You can setup a Windows 2000 server with the default installation of telnet and see that the password is encrypted.
Ok, it looks like I was partially wrong, here's what microsoft has to say: ---------------------------------------------------------------------------------------------------------------------------------------------- Whats NTLM?NTLM (NT LanMan) is an authentication process thats used by all members of the Windows NT family of products. Like its predecessor LanMan, NTLM uses a challenge/response process to prove the clients identity without requiring that either a password or a hashed password be sent across the network.
How does challenge/response work?When the authentication process begins, the users system (client) sends a login request to the telnet server. The server replies with a randomly generated token (or challenge) to the client. The client hashes the currently logged-on users cryptographically protected password with the challenge and sends the resulting response to the telnet server.
The telnet server receives the challenge-hashed response and compares it to what it knows to be the appropriate response. (The server takes a copy of the original token which it generated and hashes it against what it knows to be the users password hash from its own user account database.) If the received response matches the expected response, the user is successfully authenticated to the host.
Is my password being sent across the network during NTLM authentication?No. NTLM authentication does not send the users password (or hashed representation of the password) across the network. Instead, NTLM authentication utilizes challenge/response mechanisms to ensure that the actual password never traverses the network.
----------------------------------------------------------------------------------------------------------------------------------------------Its' still nowhere near as secure as using SSH, but it's better than the plain text transmission I was talking about. I also did a packet capture test and confirmed this. Be warned however that this feature can be disabled, so you're not automatically safe.
Chris Berry compjma () hotmail com Systems Administrator JM Associates "Within every man beats a heart of darkness." --The Shadow _________________________________________________________________Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
--------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare.Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
Current thread:
- Re: sshd for windows, (continued)
- Re: sshd for windows Bryan S. Sampsel (Jun 18)
- RE: sshd for windows Chris Berry (Jun 19)
- RE: sshd for windows DeGennaro, Gregory (Jun 19)
- RE: sshd for windows DeGennaro, Gregory (Jun 19)
- RE: sshd for windows wjnorth (Jun 20)
- RE: sshd for windows DeGennaro, Gregory (Jun 20)
- Re: sshd for windows Chris Berry (Jun 20)
- Re: sshd for windows Ansgar Wiechers (Jun 23)
- Re: sshd for windows ktabic (Jun 23)
- RE: sshd for windows Chris Berry (Jun 20)
- RE: sshd for windows Chris Berry (Jun 21)
- RE: sshd for windows DeGennaro, Gregory (Jun 21)
- RE: sshd for windows Chris Berry (Jun 21)
- RE: sshd for windows Depp, Dennis M. (Jun 21)
- RE: sshd for windows Depp, Dennis M. (Jun 21)
- Re: sshd for windows Chris Berry (Jun 24)