'we should all be uncomfortable with the extent to which luck ..'
David Shaw
dshaw at jabberwocky.com
Wed Jul 25 19:06:17 UTC 2001
On Wed, Jul 25, 2001 at 02:58:08PM -0400, John Fraizer wrote:
> On Wed, 25 Jul 2001, David Shaw wrote:
> > On Tue, Jul 24, 2001 at 11:42:21PM -0700, Roeland Meyer wrote:
> > > How many of us here run anything less than SSH and even allow telnetd to
> > > live on any of our hosts?
> >
> > telnetd is not inherently bad. It is a tool that is lacking the
> > session encryption and strong authentication features of SSH, but is
> > still useful in some cases. Like any tool it can be used poorly, but
> > that is not the fault of the tool.
> >
> > For example, when traveling, I can log in securely from any random
> > Internet cafe using OPIE or S/Key one-time passwords via telnet. SSH
> > requires that you trust your local machine, and OPIE assumes that you
> > don't.
> You may not expose your password to get into your network but, you do
> expose everything else that happens on the connection, including the
> passwords to devices that do not use/support OPIE or S/Key
> authentication.
Absolutely. OPIE is a strongly authenticated login tool. It does not
encrypt the session. I am aware of this, and thus don't type anything
I don't want sniffed.
> You can run an SSH client in a java applet in nearly any browser.
> If some devices on your network don't support ssh, ssh into
> something that does and from there, telnet to the devices that
> don't.
This is the part I disagree with. Given my example (needing to
connect from a public machine while traveling), I cannot trust the
local terminal.
The SSH protocol requires a secure local terminal so using the Java
SSH client does not protect me in the slightest if I can't trust that
terminal, and a public terminal, by its very nature, can never be
trusted.
David
--
David Shaw | dshaw at jabberwocky.com | WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson
More information about the NANOG
mailing list