Security Basics mailing list archives
Re: Is SSH worth it??
From: David Corking <david.corking2 () dol net>
Date: Wed, 16 Oct 2002 23:49:49 -0500
On Tue, 15 Oct 2002, Chris Santerre wrote:
You know I always wondered about this method. su - has you input a password. So If a sysadmin is on a cable modem at home, logs in as normal user w/ ssh, then does an su - and enters password, How is that any different? You are being sniffed on the cable network.
But it is encrypted in the ssh tunnel
Keep in mind you can now sniff SSH packets. So how could this be more secure?
Randy is right (and I posted a more complete discussion elsewhere on this thread tonight -- the thread seems to have been split in two so I missed Randy's note before I wrote that.) Although you can sniff SSH packets you don't know what is in them (or do you?) There is not yet a published theoretical way to break the encryption in SSH V2.0 protocol.
So wouldn't a hacker now have both the first user pass and the su - ?
No. Now if the cracker broke into your home PC (through a back orifice trojan for example) then Chris is right - no amount of encryption or layers of passwords do any good -- the whole lot is compromised. Encryption really only protects you from interception (sniffing) *not* local compromises. (Cue smart cards and OTP technology ....)
Current thread:
- Re: Is SSH worth it?? David Corking (Oct 15)
- <Possible follow-ups>
- RE: Is SSH worth it?? Graham, Randy (RAW) (Oct 15)
- Re: Is SSH worth it?? Johan De Meersman (Oct 15)
- Re: Is SSH worth it?? David Corking (Oct 17)
- Re: Is SSH worth it?? Johan De Meersman (Oct 18)
- Re: Is SSH worth it?? David Corking (Oct 21)
- Re: Is SSH worth it?? Richard Caley (Oct 21)
- Re: Is SSH worth it?? David Corking (Oct 17)
- Re: Is SSH worth it?? David Corking (Oct 16)
- RE: Is SSH worth it?? Chris Santerre (Oct 16)
- Re: Is SSH worth it?? Devdas Bhagat (Oct 17)
- Re: Is SSH worth it?? David Corking (Oct 17)
- Re: Is SSH worth it?? Johan De Meersman (Oct 17)
- Re: Is SSH worth it?? Chris Berry (Oct 16)
- RE: Is SSH worth it?? Mark Stunnenberg (Oct 17)
- Re: Is SSH worth it?? Johan De Meersman (Oct 17)
- RE: Is SSH worth it?? Chris Berry (Oct 17)