[13598] in bugtraq
Re: S/Key & OPIE Database Vulnerability
daemon@ATHENA.MIT.EDU (Eivind Eklund)
Fri Jan 28 15:12:23 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000128122310.D15603@bitbox.follo.net>
Date: Fri, 28 Jan 2000 12:23:10 +0100
Reply-To: Eivind Eklund <eivind@YES.NO>
From: Eivind Eklund <eivind@YES.NO>
X-To: Brandon Palmer <merlin@SCL.CWRU.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.GSO.4.10.10001270935060.2313-100000@tigris>; from
merlin@SCL.CWRU.EDU on Thu, Jan 27, 2000 at 09:40:35AM -0500
On Thu, Jan 27, 2000 at 09:40:35AM -0500, Brandon Palmer wrote:
> > Ultimately I wonder how much of a future S/Key has now that SSH and
> > similar utilities are widely deployed and provide much more
> > sophisticated protections, especially session encryption.
>
> I think there is definatly still a need. There are many cases in which I
> am not on a machine what has ssh (ie some public telnet shell). Though
> the session is not encrypted, my password is still safe. Until ssh-java
> shells are common, s/key still has it's place.
This indicates a rather common misconception. SSH-Java shells should
NOT make a public terminal trusted for your password; the TERMINAL is
insecure, and is rather likely to be running a keystroke logger. SSH
only makes the connection from the box it runs on to the box in the
other end secure.
Eivind.
