[40048] in North American Network Operators' Group
RE: telnet vs ssh on Core equipment , looking for reasons why ?
daemon@ATHENA.MIT.EDU (Grace, Terry)
Tue Jul 31 15:06:00 2001
Message-ID: <B3AA75A19260D3118F3B00902798992B023C8D79@mail2.thestar.ca>
From: "Grace, Terry" <tgrace@thestar.ca>
To: "'nanog@merit.edu'" <nanog@merit.edu>
Date: Tue, 31 Jul 2001 15:01:49 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="==_19071050623044==_"
Errors-To: owner-nanog-outgoing@merit.edu
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
--==_19071050623044==_
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C119F3.36118630"
------_=_NextPart_001_01C119F3.36118630
Content-Type: text/plain;
charset="iso-8859-1"
Here's an alternative that might work. Authenticate via Radius which in turn
proxies the authentication request to a SecurId server. With one time
passwords, who cares if they get sniffed? You also get the benefit of having
your Radius server being able to do accounting/access control on the
sessions as well.
-----Original Message-----
From: Dave Israel [mailto:davei@biohazard.demon.digex.net]
Sent: Tuesday, July 31, 2001 2:43 PM
To: alex@yuriev.com
Cc: nanog@merit.edu
Subject: RE: telnet vs ssh on Core equipment , looking for reasons why ?
[Yeah, I know, we've wandered off topic. But security is fun to
talk about.]
On 7/31/2001 at 12:41:23 -0400, alex@yuriev.com said:
>
> >
> > 2) Your vendor's ssh authentication creates a secure connection, and
> > transfers the password securely, only to then send the password,
> > unencrypted, to an authentication server for verification, making
> > ssh moot.
>
> Establish reasonable path for trust propagation and you have solved the
> problem.
Except, of course, if I had a reasonable path for trust propigation,
I would have a trusted path for telnet logins. ;-)
Any compromise on a clear-text telnet password is going to be viable
against any other clear-text password transmission. Even restricting
logins to certain host ranges only pushes security to those networks.
If you're going to sniff my backbone passwords, the networks that are
wrapped in are presumably compromised already.
Network security is a beast. There's no sure method. Of course,
the compromises get progressively more unlikely as time goes on
(including keyboard sniffing and signal analysis.) So the question
becomes, what is secure enough? If you're only using telnet, with
clear passwords, restricted to a certain range (which, by the way,
despite a recent post to nanog, we are doing; I'd like to say we
left that router open so folks could read my poetry, but the truth
is, we were morons and missed it) you're secure as long as your
backbone links and backend aren't being sniffed. Physically tapping
fiber isn't terribly easy for the average hacker, and careful routing
protocol selection and implementation should keep you from external
intrusion. So really, your back-end that's the most likely way
in.
So... does anybody know how long it takes to hack an ssh key given
identity and identity.pub? Because, if I have your machine, I have
these... it's just a matter of unlocking your passphrase. (And not
even that, if you're running ssh-agent and I can get to that...)
--
Dave Israel
Senior Manager, IP Backbone
Intermedia Business Internet
------_=_NextPart_001_01C119F3.36118630
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2650.12">
<TITLE>RE: telnet vs ssh on Core equipment , looking for reasons why =
?</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>Here's an alternative that might work. Authenticate =
via Radius which in turn proxies the authentication request to a =
SecurId server. With one time passwords, who cares if they get sniffed? =
You also get the benefit of having your Radius server being able to do =
accounting/access control on the sessions as well.</FONT></P>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Dave Israel [<A =
HREF=3D"mailto:davei@biohazard.demon.digex.net">mailto:davei@biohazard.d=
emon.digex.net</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: Tuesday, July 31, 2001 2:43 PM</FONT>
<BR><FONT SIZE=3D2>To: alex@yuriev.com</FONT>
<BR><FONT SIZE=3D2>Cc: nanog@merit.edu</FONT>
<BR><FONT SIZE=3D2>Subject: RE: telnet vs ssh on Core equipment , =
looking for reasons why ?</FONT>
</P>
<BR>
<BR>
<BR>
<P><FONT SIZE=3D2>[Yeah, I know, we've wandered off topic. But =
security is fun to </FONT>
<BR><FONT SIZE=3D2>talk about.]</FONT>
</P>
<P><FONT SIZE=3D2>On 7/31/2001 at 12:41:23 -0400, alex@yuriev.com =
said:</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> > </FONT>
<BR><FONT SIZE=3D2>> > 2) Your vendor's ssh authentication =
creates a secure connection, and</FONT>
<BR><FONT SIZE=3D2>> > transfers the password =
securely, only to then send the password,</FONT>
<BR><FONT SIZE=3D2>> > unencrypted, to an =
authentication server for verification, making</FONT>
<BR><FONT SIZE=3D2>> > ssh moot.</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> Establish reasonable path for trust propagation =
and you have solved the</FONT>
<BR><FONT SIZE=3D2>> problem.</FONT>
</P>
<P><FONT SIZE=3D2>Except, of course, if I had a reasonable path for =
trust propigation,</FONT>
<BR><FONT SIZE=3D2>I would have a trusted path for telnet logins. =
;-)</FONT>
</P>
<P><FONT SIZE=3D2>Any compromise on a clear-text telnet password is =
going to be viable</FONT>
<BR><FONT SIZE=3D2>against any other clear-text password =
transmission. Even restricting</FONT>
<BR><FONT SIZE=3D2>logins to certain host ranges only pushes security =
to those networks.</FONT>
<BR><FONT SIZE=3D2>If you're going to sniff my backbone passwords, the =
networks that are</FONT>
<BR><FONT SIZE=3D2>wrapped in are presumably compromised =
already.</FONT>
</P>
<P><FONT SIZE=3D2>Network security is a beast. There's no sure =
method. Of course,</FONT>
<BR><FONT SIZE=3D2>the compromises get progressively more unlikely as =
time goes on</FONT>
<BR><FONT SIZE=3D2>(including keyboard sniffing and signal =
analysis.) So the question</FONT>
<BR><FONT SIZE=3D2>becomes, what is secure enough? If you're only =
using telnet, with</FONT>
<BR><FONT SIZE=3D2>clear passwords, restricted to a certain range =
(which, by the way,</FONT>
<BR><FONT SIZE=3D2>despite a recent post to nanog, we are doing; I'd =
like to say we</FONT>
<BR><FONT SIZE=3D2>left that router open so folks could read my poetry, =
but the truth</FONT>
<BR><FONT SIZE=3D2>is, we were morons and missed it) you're secure as =
long as your</FONT>
<BR><FONT SIZE=3D2>backbone links and backend aren't being =
sniffed. Physically tapping</FONT>
<BR><FONT SIZE=3D2>fiber isn't terribly easy for the average hacker, =
and careful routing </FONT>
<BR><FONT SIZE=3D2>protocol selection and implementation should keep =
you from external</FONT>
<BR><FONT SIZE=3D2>intrusion. So really, your back-end that's the =
most likely way</FONT>
<BR><FONT SIZE=3D2>in.</FONT>
</P>
<P><FONT SIZE=3D2>So... does anybody know how long it takes to hack an =
ssh key given</FONT>
<BR><FONT SIZE=3D2>identity and identity.pub? Because, if I have =
your machine, I have</FONT>
<BR><FONT SIZE=3D2>these... it's just a matter of unlocking your =
passphrase. (And not</FONT>
<BR><FONT SIZE=3D2>even that, if you're running ssh-agent and I can get =
to that...)</FONT>
</P>
<P><FONT SIZE=3D2>-- </FONT>
<BR><FONT SIZE=3D2>Dave Israel</FONT>
<BR><FONT SIZE=3D2>Senior Manager, IP Backbone</FONT>
<BR><FONT SIZE=3D2>Intermedia Business Internet</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C119F3.36118630--
--==_19071050623044==_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Get to know us
http://www.thestar.com - Canada's largest daily newspaper online
http://www.toronto.com - All you need to know about T.O.
http://www.workopolis.com - Canada's biggest job site
http://www.torontostartv.com - Webcasting & Production
http://www.newinhomes.com - Ontario's Largest New Home & Condo Website
http://www.waymoresports.com - Canada's most comprehensive sports site
--==_19071050623044==_--
