Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: telnet vs ssh on Core equipment , looking for reasons why ?

  • From: Greg Maxwell
  • Date: Tue Jul 31 11:05:47 2001

On Tue, 31 Jul 2001 alex@yuriev.com wrote:

> > > > so thats my main logic, authentication... i cant understand the big
> > > > paranoia on people sniffing tho!
> > >
> > > unfortunately ssh is just as sniffable if it's an arp spoof, but hopefully
> > > it's not as easy for the naughty eavesdropper to get into the right
> > > position for that....
>
> Pardon for blowing your bubble but sniffing ssh keyexchange does not do you
> any good. The symmetric key is exchanged via a channel aready secured. The
> keys that is used to secure the channel used to exchange the symmetric key
> are exchanged via DH-based protocol. If you want to spend your time
> factoring primes for next 500 years to extract the key, you are more than
> welcome to try. It is crypto-101.

If you can arp spoof as indicated in the message you are replying to, you
can perform a MTM attack which SSH offers only minimal security against
(in the form of stored host keys that users often choose to ignore or not
verify the fingerprint). Look to SRP for a MTM-less password
authentication solution.







Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.