Interesting People mailing list archives
IP: SSH: an ineffectual "feel-good" security measure -- from risks
From: Dave Farber <farber () cis upenn edu>
Date: Sat, 15 Jan 2000 19:04:32 -0500
Date: Mon, 20 Dec 1999 00:34:14 -0700 From: "Schlake ( William Colburn )" <schlake () nmt edu> When I first read the report of RST breaking the netscape algorithm I was caught up in the moment. Netscape should have known better than do something so foolish! Then I read the next comp.risks and I felt like a fool. There is a great risk in pretending to have security when you really have none. I think many people believe that ssh protects them from wrong-doers, and that nothing bad can happen to them if they use ssh. The authors of the Internet Auditing Project(1) have a good story to tell about ssh, as do the people who run the web site for rootshell.org(2). Some sys-admins here at work are rabid about ssh. They have disabled telnet and rlogin for "security" reasons, and naively believe that ssh is somehow more secure. Ssh protects the data stream between two secure machines. Anyone sitting between the two machines can't tell what is going on in the ssh stream because of the encryption. The risk to the user is assuming that either end is secure. Where I work, the important servers don't run telnet or rlogin, because those protocols are "insecure". The servers only run ssh. Our network is switched. In order to sniff packets an attacker either needs to be in the machine room with a cable plugged into the switch, or they need to be on either of the two machines that the traffic is going between AND they need to be root. If they are root on either machine, then they can: a) read the unencrypted TTY instead of the encrypted stream b) read the local secret keys and decode the stream on the fly c) replace ssh with a Trojan d) trace the program and extract the unencrypted data from the write()s e) many more things I can't think of right now If no one has compromised my system, then it is safe to use telnet to login between machines. If someone has compromised my system however, I might as well use telnet since I can't trust ssh anymore. If no one has compromised my system, and I need to login over an untrusted network, and I have a secure machine to login from, then ssh is the perfect tool. Where am I going to find a secure machine outside my network? I bet there are lots of secure machines all over the place, but I will never know which ones they are. If security is really important to me, I will never log in to any computer from any other computer I don't own (and hence trust) myself. That means I that if I need to login to work when I am off site, that I need to have my own laptop that I keep powered down, encased in cement, buried in a vault, and guarded by an army (and even then can I really be sure it is secure)? Last week I spent an entire day at work wondering how to protect my mail server from all the trouble that is expected from people trying to hide under the veil of Y2K. I took ssh out of the inetd.conf, and told everyone that they have to log in on console from now on. (1): http://www.securityfocus.com/templates/forum_message.html?forum=2&head=32&id =32 (2): http://www.rootshell.org/mailinglist-archive/rs-25
Current thread:
- IP: SSH: an ineffectual "feel-good" security measure -- from risks Dave Farber (Jan 15)