nanog mailing list archives

Re: 'we should all be uncomfortable with the extent to which luck ..'

From: David Shaw <dshaw () jabberwocky com>
Date: Wed, 25 Jul 2001 15:06:17 -0400


On Wed, Jul 25, 2001 at 02:58:08PM -0400, John Fraizer wrote:

On Wed, 25 Jul 2001, David Shaw wrote:

On Tue, Jul 24, 2001 at 11:42:21PM -0700, Roeland Meyer wrote:

How many of us here run anything less than SSH and even allow telnetd to
live on any of our hosts?


telnetd is not inherently bad.  It is a tool that is lacking the
session encryption and strong authentication features of SSH, but is
still useful in some cases.  Like any tool it can be used poorly, but
that is not the fault of the tool.

For example, when traveling, I can log in securely from any random
Internet cafe using OPIE or S/Key one-time passwords via telnet.  SSH
requires that you trust your local machine, and OPIE assumes that you
don't.

You may not expose your password to get into your network but, you do
expose everything else that happens on the connection, including the
passwords to devices that do not use/support OPIE or S/Key
authentication.


Absolutely.  OPIE is a strongly authenticated login tool.  It does not
encrypt the session.  I am aware of this, and thus don't type anything
I don't want sniffed.

You can run an SSH client in a java applet in nearly any browser.
If some devices on your network don't support ssh, ssh into
something that does and from there, telnet to the devices that
don't.


This is the part I disagree with.  Given my example (needing to
connect from a public machine while traveling), I cannot trust the
local terminal.

The SSH protocol requires a secure local terminal so using the Java
SSH client does not protect me in the slightest if I can't trust that
terminal, and a public terminal, by its very nature, can never be
trusted.

David

-- 
   David Shaw  |  dshaw () jabberwocky com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson

Current thread:

RE: 'we should all be uncomfortable with the extent to which luck ..', (continued)
- - - RE: 'we should all be uncomfortable with the extent to which luck ..' Deepak Jain (Jul 28)
    - RE: 'we should all be uncomfortable with the extent to which luck ..' Steven J. Sobol (Jul 28)
    - RE: 'we should all be uncomfortable with the extent to which luck ..' Charles Sprickman (Jul 28)
- Re: 'we should all be uncomfortable with the extent to which luck ..' Valdis . Kletnieks (Jul 25)
- Re: 'we should all be uncomfortable with the extent to which luck..' Chris Rapier (Jul 25)
  - Re: 'we should all be uncomfortable with the extent to which luck..' Mark Boolootian (Jul 25)
    - Re: 'we should all be uncomfortable with the extent to which luck..' Richard Welty (Jul 25)
    - Re: 'we should all be uncomfortable with the extent to which luck..' Bill Fenner (Jul 25)
- Re: 'we should all be uncomfortable with the extent to which luck ..' David Shaw (Jul 25)
  - Re: 'we should all be uncomfortable with the extent to which luck ..' John Fraizer (Jul 25)
    - Re: 'we should all be uncomfortable with the extent to which luck ..' David Shaw (Jul 25)
    - Re: 'we should all be uncomfortable with the extent to which luck ..' Stephen J. Wilcox (Jul 25)
  - Re: 'we should all be uncomfortable with the extent to which luck ..' Valdis . Kletnieks (Jul 25)
    - Re: 'we should all be uncomfortable with the extent to which luck ..' David Shaw (Jul 25)
  - Re: 'we should all be uncomfortable with the extent to which luck ..' Majdi S. Abbas (Jul 25)
    - Re: 'we should all be uncomfortable with the extent to which luck ..' David Shaw (Jul 25)