From owner-freebsd-security  Sat Mar 30  1:21:57 2002
Delivered-To: freebsd-security@freebsd.org
Received: from prometheus.vh.laserfence.net (prometheus.laserfence.net [196.44.73.116])
	by hub.freebsd.org (Postfix) with ESMTP
	id A39A537B48D; Sat, 30 Mar 2002 01:21:39 -0800 (PST)
Received: from phoenix.vh.laserfence.net ([192.168.0.10])
	by prometheus.vh.laserfence.net with esmtp (Exim 3.34 #1)
	id 16rF2Y-0003UG-00; Sat, 30 Mar 2002 11:20:50 +0200
Date: Sat, 30 Mar 2002 11:20:48 +0200 (SAST)
From: Willie Viljoen <will@laserfence.net>
X-X-Sender: will@phoenix.vh.laserfence.net
To: peter.lai@uconn.edu
Cc: ark@eltex.ru, <cjc@FreeBSD.ORG>, <adamtuttle@sympatico.ca>,
	<security@FreeBSD.ORG>
Subject: Re: SSH or Telnet?
In-Reply-To: <20020330034128.B67123@cowbert.2y.net>
Message-ID: <20020330111532.B508-100000@phoenix.vh.laserfence.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

The problem is with more than just the cleartext password when you log
in... it's cleartext everything.

Consider this, you log in to your home PC, and get a prompt like this:

%

Now you telnet to a remote machine, log in with your clear text password,
nobody sees anything, and it's not a very important machine anyway, just
your office box which you want to instruct to download a file with its
enormous bandwidth... no harm here.

Now, you finished downloading, you get another prompt:

%

A few hours later you come home drunk from one wild party because you had
to attend to some serious tech matter on some very important corporate
webserver hosted in whoknowswhereville.

You see your local box prompt:

%

You do this:

% ssh some.very.important.corporate.server.in.whoknowswhereville.com

You enter your password to authenticate, you're in and fix the problem, go
to sleep, everything's fine.

The next morning, that very important server in whoknowswhereville is
hacked and not responding to SSH sessions, why?

Consider this... when you got back from the party, the % prompt you saw
was not of your local box, it was the prompt on the remote machine you
telnetted to.

When you entered your password for the very important server, it went in
clear text to your remote box, and only encrypted with a session key from
there. Some malicious brat who was playing with dad's computer at the
office, supposedly not downloading porn, saw your password for the very
important server and after you'd fixed the problem and logged off, he
logged on.

If that doesn't tell you that cleartext might be a bad thing, your cube is
probably under a rock, away from the imperfect world we live in today.

Will

On Sat, 30 Mar 2002, Peter C. Lai wrote:

> Wouldn't Kerberized Telnet or SRA authentication fix the
> plaintext passwords problem?
>
> Of course, you'd have to make sure you don't telnet or su
> from that session :)
>
> On Fri, Mar 29, 2002 at 02:45:59PM +0300, ark@eltex.ru wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > What's wrong with telnet? I use it frequently and i am pretty satisified with
> > it.
> >
> > (I don't need to encrypt sessions, there is no sensitive information inside.
> > Don't tell me about cleartext passwords, there are no cleartext passwords.
> > And if you really need encryption you may run telnet over ipsec)
> >
> > "Crist J. Clark" <cjc@FreeBSD.ORG> said :
> >
> > > On Thu, Mar 28, 2002 at 04:33:23PM -0500, Adam wrote:
> > > > I would highly suggest that you use telnet. As long as you keep it updated
> > > > and patched you shouldnt have any problems with it..
> > >
> > > Dude, pass whatever the hell you are smoking down here.
> >
> >
> >                                      _     _  _  _  _      _  _
> >  {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
> >  (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
> >  [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 6.5.1i
> >
> > iQCVAwUBPKRT9qH/mIJW9LeBAQHW2QP/f5kQb2ikGqjdT/O321NJ56fWyW4IkMCe
> > RU9dl1FU4lLhAKE5f625ZvRQVzCLwW1EwHXps13dGQHrWVsBGKziLNGFszcn1jHA
> > K+xIKIxFA8hm4oWmw4ww2HLPU7hwHuGA7h/F+gh6nbnJuogRXVb+t8c3QdsSvDiA
> > VoFXEmA3194=
> > =urmJ
> > -----END PGP SIGNATURE-----
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
>
>

-- 
Willie Viljoen
Private IT Consultant

214 Paul Kruger Avenue
Universitas
Bloemfontein
9321

South Africa

+27 51 522 15 60, a/h +27 51 522 44 36
+27 82 404 03 27

will@laserfence.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message