I understand that this question is subjective.
I am interested in knowing the SSH password legibility when creating an SSH tunnel. Does a secure session open after password authentication, or is the password itself enclosed in this secure connection?
After an interesting debate at the office this morning, and besides the possibility of writing off the SSH password on the client using a keylogger, I am curious that the SSH password can also be compromised using the packet sniffing tools on the local network or installed on any proxy server between the Client and the Server. This opened up a broader discussion about how to log in to private services (such as a home NAS or email) through an SSH tunnel that was registered on a client working on several intermediate proxy servers. (i.e. at work), especially with claims that tools like Ettercap are capable of snooping into SSH packages.
I guess the same considerations can be made with respect to SSL / HTTPS, where does the website not parse the password in a one-way hash like MD5?
Your thoughts will be most appreciated.
Thanks.
8bitjunkie
source share