Re: Is SSH worth it??

[David Corking <david.corking2 () dol net>]

On Tue, 15 Oct 2002, Chris Santerre wrote:

> You know I always wondered about this method. su - has you input a password.
> So If a sysadmin is on a cable modem at home, logs in as normal user w/ ssh,
> then does an su - and enters password, How is that any different? You are
> being sniffed on the cable network. 

But it is encrypted in the ssh tunnel

> Keep in mind you can now sniff SSH
> packets. So how could this be more secure? 

Randy is right (and I posted a more complete discussion elsewhere on
this thread tonight -- the thread seems to have been split in two so I
missed Randy's note before I wrote that.)

Although you can sniff SSH packets you don't know what is in them (or
do you?)  There is not yet a published theoretical way to break the
encryption in SSH V2.0 protocol.

> So wouldn't a hacker now have
> both the first user pass and the su - ?

No.  Now if the cracker broke into your home PC (through a back
orifice trojan for example) then Chris is right - no amount of
encryption or layers of passwords do any good -- the whole lot is
compromised.
 
Encryption really only protects you from interception (sniffing) *not*
local compromises.  (Cue smart cards and OTP technology ....)