[39854] in North American Network Operators' Group
Re: 'we should all be uncomfortable with the extent to which luck ..'
daemon@ATHENA.MIT.EDU (David Shaw)
Wed Jul 25 15:07:33 2001
Date: Wed, 25 Jul 2001 15:06:17 -0400
From: David Shaw <dshaw@jabberwocky.com>
To: John Fraizer <nanog@Overkill.EnterZone.Net>
Cc: Roeland Meyer <rmeyer@mhsc.com>, "'k claffy'" <kc@ipn.caida.org>,
nanog@nanog.org, caida@caida.org
Message-ID: <20010725150617.B1975@akamai.com>
Mail-Followup-To: John Fraizer <nanog@Overkill.EnterZone.Net>,
Roeland Meyer <rmeyer@mhsc.com>, 'k claffy' <kc@ipn.caida.org>,
nanog@nanog.org, caida@caida.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.21.0107251454020.28199-100000@Overkill.EnterZone.Net>; from nanog@Overkill.EnterZone.Net on Wed, Jul 25, 2001 at 02:58:08PM -0400
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, Jul 25, 2001 at 02:58:08PM -0400, John Fraizer wrote:
> On Wed, 25 Jul 2001, David Shaw wrote:
> > On Tue, Jul 24, 2001 at 11:42:21PM -0700, Roeland Meyer wrote:
> > > How many of us here run anything less than SSH and even allow telnetd to
> > > live on any of our hosts?
> >
> > telnetd is not inherently bad. It is a tool that is lacking the
> > session encryption and strong authentication features of SSH, but is
> > still useful in some cases. Like any tool it can be used poorly, but
> > that is not the fault of the tool.
> >
> > For example, when traveling, I can log in securely from any random
> > Internet cafe using OPIE or S/Key one-time passwords via telnet. SSH
> > requires that you trust your local machine, and OPIE assumes that you
> > don't.
> You may not expose your password to get into your network but, you do
> expose everything else that happens on the connection, including the
> passwords to devices that do not use/support OPIE or S/Key
> authentication.
Absolutely. OPIE is a strongly authenticated login tool. It does not
encrypt the session. I am aware of this, and thus don't type anything
I don't want sniffed.
> You can run an SSH client in a java applet in nearly any browser.
> If some devices on your network don't support ssh, ssh into
> something that does and from there, telnet to the devices that
> don't.
This is the part I disagree with. Given my example (needing to
connect from a public machine while traveling), I cannot trust the
local terminal.
The SSH protocol requires a secure local terminal so using the Java
SSH client does not protect me in the slightest if I can't trust that
terminal, and a public terminal, by its very nature, can never be
trusted.
David
--
David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson
