[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ssh - are you nuts?!?
- To: tech_(_at_)_openbsd_(_dot_)_org
- Subject: Re: ssh - are you nuts?!?
- From: Al Lipscomb <arl_(_at_)_q7_(_dot_)_net>
- Date: Sat, 9 Dec 2000 13:37:24 -0500
- Mail-followup-to: tech_(_at_)_openbsd_(_dot_)_org
- Reply-to: arl_(_at_)_q7_(_dot_)_net
> >> Next month I'm giving a talk about the evils of SSH.
> >> I've like to hear from the OpenBSD community, why
> >> they believe ssh is beter than say telnet.
> > Assuming that this is not just a troll, there are a number of reasons to use
> > OpenSSH over a standard telnet session. The first being that recovering
> > passwords/keys from a SSH connection is non-trivial.
> What excatly does this mean?
> Is it providing a value for security?
"non-trivial" means hard, expensive, time consuming. If I follow best practices
by the time you can decode my session using available techniques I will have
changed my password(s).
> > This would allow
> > in-band administration of boxes with exposed networks and only moderate
> > security requirements (for example remote web servers not being used for
> > financial transactions). This also provides for transfer of data over a
> > channel that is expensive to decrypt.
> Your response seems to suggest that you are not using SSH.
> That may not be a correct assumption on my part.
I am using SSH.
> Your response also suggests that SSH transfered data might
> require an expert to decrypt, an expert with lots of resources
> (time, money, etc.). Is that really the case?
It would require an expert to design the attack. Once designed tools could
be built and the average person could then use the attack. It would take a lot
of computer CPU time to break into the data. If I had broke into 100 Linux
boxes and had them all working on part of the key space then I would not
need as much money.
> > The ability to forward other ports across the channel also permits more
> > robust access to remote hosts without the need to open additional ports in
> > the firewall.
> I'm sorry I have no idea what this means.
> What do you mean by "the ability to forward"?
You need to study up on SSH a bit before your talk.
OK, I open a SSH session to my computer at home. I want to use a graphic
package such as GIMP that requires the X-Windows protocol. By forwarding the
packets for the X session thru my SSH session it is harder for someone to
see what I am doing.
Secuity is about making things hard for the intruder. Ancient forts made things
hard, not impossible. That is what SSH and other encrytion tools do.
You asked another question about compression. Compression removes redundant
data. This is often used before encryption to remove patterns from the data
that could be used to help guess the contents. If there are no repeted patterns
then knowing that e,i,t are the most common letters used does not help
in guessing the text.