North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: 'we should all be uncomfortable with the extent to which luck ..'
On Wed, Jul 25, 2001 at 02:58:08PM -0400, John Fraizer wrote: > On Wed, 25 Jul 2001, David Shaw wrote: > > On Tue, Jul 24, 2001 at 11:42:21PM -0700, Roeland Meyer wrote: > > > How many of us here run anything less than SSH and even allow telnetd to > > > live on any of our hosts? > > > > telnetd is not inherently bad. It is a tool that is lacking the > > session encryption and strong authentication features of SSH, but is > > still useful in some cases. Like any tool it can be used poorly, but > > that is not the fault of the tool. > > > > For example, when traveling, I can log in securely from any random > > Internet cafe using OPIE or S/Key one-time passwords via telnet. SSH > > requires that you trust your local machine, and OPIE assumes that you > > don't. > You may not expose your password to get into your network but, you do > expose everything else that happens on the connection, including the > passwords to devices that do not use/support OPIE or S/Key > authentication. Absolutely. OPIE is a strongly authenticated login tool. It does not encrypt the session. I am aware of this, and thus don't type anything I don't want sniffed. > You can run an SSH client in a java applet in nearly any browser. > If some devices on your network don't support ssh, ssh into > something that does and from there, telnet to the devices that > don't. This is the part I disagree with. Given my example (needing to connect from a public machine while traveling), I cannot trust the local terminal. The SSH protocol requires a secure local terminal so using the Java SSH client does not protect me in the slightest if I can't trust that terminal, and a public terminal, by its very nature, can never be trusted. David -- David Shaw | [email protected] | WWW http://www.jabberwocky.com/ +---------------------------------------------------------------------------+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson
|