<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2650.12">
<TITLE>RE: telnet vs ssh on Core equipment , looking for reasons why ?</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>Here's an alternative that might work. Authenticate via Radius which in turn proxies the authentication request to a SecurId server. With one time passwords, who cares if they get sniffed? You also get the benefit of having your Radius server being able to do accounting/access control on the sessions as well.</FONT></P>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: Dave Israel [<A HREF="mailto:davei@biohazard.demon.digex.net">mailto:davei@biohazard.demon.digex.net</A>]</FONT>
<BR><FONT SIZE=2>Sent: Tuesday, July 31, 2001 2:43 PM</FONT>
<BR><FONT SIZE=2>To: alex@yuriev.com</FONT>
<BR><FONT SIZE=2>Cc: nanog@merit.edu</FONT>
<BR><FONT SIZE=2>Subject: RE: telnet vs ssh on Core equipment , looking for reasons why ?</FONT>
</P>
<BR>
<BR>
<BR>
<P><FONT SIZE=2>[Yeah, I know, we've wandered off topic. But security is fun to </FONT>
<BR><FONT SIZE=2>talk about.]</FONT>
</P>
<P><FONT SIZE=2>On 7/31/2001 at 12:41:23 -0400, alex@yuriev.com said:</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> > </FONT>
<BR><FONT SIZE=2>> > 2) Your vendor's ssh authentication creates a secure connection, and</FONT>
<BR><FONT SIZE=2>> > transfers the password securely, only to then send the password,</FONT>
<BR><FONT SIZE=2>> > unencrypted, to an authentication server for verification, making</FONT>
<BR><FONT SIZE=2>> > ssh moot.</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> Establish reasonable path for trust propagation and you have solved the</FONT>
<BR><FONT SIZE=2>> problem.</FONT>
</P>
<P><FONT SIZE=2>Except, of course, if I had a reasonable path for trust propigation,</FONT>
<BR><FONT SIZE=2>I would have a trusted path for telnet logins. ;-)</FONT>
</P>
<P><FONT SIZE=2>Any compromise on a clear-text telnet password is going to be viable</FONT>
<BR><FONT SIZE=2>against any other clear-text password transmission. Even restricting</FONT>
<BR><FONT SIZE=2>logins to certain host ranges only pushes security to those networks.</FONT>
<BR><FONT SIZE=2>If you're going to sniff my backbone passwords, the networks that are</FONT>
<BR><FONT SIZE=2>wrapped in are presumably compromised already.</FONT>
</P>
<P><FONT SIZE=2>Network security is a beast. There's no sure method. Of course,</FONT>
<BR><FONT SIZE=2>the compromises get progressively more unlikely as time goes on</FONT>
<BR><FONT SIZE=2>(including keyboard sniffing and signal analysis.) So the question</FONT>
<BR><FONT SIZE=2>becomes, what is secure enough? If you're only using telnet, with</FONT>
<BR><FONT SIZE=2>clear passwords, restricted to a certain range (which, by the way,</FONT>
<BR><FONT SIZE=2>despite a recent post to nanog, we are doing; I'd like to say we</FONT>
<BR><FONT SIZE=2>left that router open so folks could read my poetry, but the truth</FONT>
<BR><FONT SIZE=2>is, we were morons and missed it) you're secure as long as your</FONT>
<BR><FONT SIZE=2>backbone links and backend aren't being sniffed. Physically tapping</FONT>
<BR><FONT SIZE=2>fiber isn't terribly easy for the average hacker, and careful routing </FONT>
<BR><FONT SIZE=2>protocol selection and implementation should keep you from external</FONT>
<BR><FONT SIZE=2>intrusion. So really, your back-end that's the most likely way</FONT>
<BR><FONT SIZE=2>in.</FONT>
</P>
<P><FONT SIZE=2>So... does anybody know how long it takes to hack an ssh key given</FONT>
<BR><FONT SIZE=2>identity and identity.pub? Because, if I have your machine, I have</FONT>
<BR><FONT SIZE=2>these... it's just a matter of unlocking your passphrase. (And not</FONT>
<BR><FONT SIZE=2>even that, if you're running ssh-agent and I can get to that...)</FONT>
</P>
<P><FONT SIZE=2>-- </FONT>
<BR><FONT SIZE=2>Dave Israel</FONT>
<BR><FONT SIZE=2>Senior Manager, IP Backbone</FONT>
<BR><FONT SIZE=2>Intermedia Business Internet</FONT>
</P>
</BODY>
</HTML>