Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: 'we should all be uncomfortable with the extent to which luck ..'

  • From: David Shaw
  • Date: Wed Jul 25 15:12:11 2001

On Wed, Jul 25, 2001 at 02:58:08PM -0400, John Fraizer wrote:
> On Wed, 25 Jul 2001, David Shaw wrote:

> > On Tue, Jul 24, 2001 at 11:42:21PM -0700, Roeland Meyer wrote:
> > > How many of us here run anything less than SSH and even allow telnetd to
> > > live on any of our hosts?
> > 
> > telnetd is not inherently bad.  It is a tool that is lacking the
> > session encryption and strong authentication features of SSH, but is
> > still useful in some cases.  Like any tool it can be used poorly, but
> > that is not the fault of the tool.
> > 
> > For example, when traveling, I can log in securely from any random
> > Internet cafe using OPIE or S/Key one-time passwords via telnet.  SSH
> > requires that you trust your local machine, and OPIE assumes that you
> > don't.

> You may not expose your password to get into your network but, you do
> expose everything else that happens on the connection, including the
> passwords to devices that do not use/support OPIE or S/Key
> authentication.

Absolutely.  OPIE is a strongly authenticated login tool.  It does not
encrypt the session.  I am aware of this, and thus don't type anything
I don't want sniffed.

> You can run an SSH client in a java applet in nearly any browser.
> If some devices on your network don't support ssh, ssh into
> something that does and from there, telnet to the devices that
> don't.

This is the part I disagree with.  Given my example (needing to
connect from a public machine while traveling), I cannot trust the
local terminal.

The SSH protocol requires a secure local terminal so using the Java
SSH client does not protect me in the slightest if I can't trust that
terminal, and a public terminal, by its very nature, can never be
trusted.

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.