From owner-freebsd-security  Sat Mar 30  4:39:36 2002
Delivered-To: freebsd-security@freebsd.org
Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240])
	by hub.freebsd.org (Postfix) with ESMTP id 7119937B41A
	for <security@freebsd.org>; Sat, 30 Mar 2002 04:39:32 -0800 (PST)
Received: (qmail 34750 invoked by uid 1000); 30 Mar 2002 12:39:26 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 30 Mar 2002 12:39:26 -0000
Date: Sat, 30 Mar 2002 04:39:16 -0800 (PST)
From: Jason Stone <jason-fbsd-security@shalott.net>
X-X-Sender:  <jason@walter>
To: FreeBSD Security <security@freebsd.org>
Subject: Re: SSH or Telnet?
In-Reply-To: <20020329220256.N38382-100000@topperwein.dyndns.org>
Message-ID: <20020330041645.X2704-100000@walter>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>     Have a look at ethereal or dsniff.  You will be surprised.

And of course dsniff also contains ssh-mitm....


> > And if you really need encryption you may run telnet over ipsec)
>
>     IPsec is a VPN solution.  If someone in the LAN to which you're
> VPN-ing is running a sniffer, then what?

IPSec is not a VPN solution - it supports tunnel mode, but its native mode
is, well, native mode, which both encrypts and authenticates every ip
packet between two properly configured machines.

Anyway, yeah, there are alternatives to ssh - whatever over ipsec,
whatever over an ssl tunnel, kerberized+encryption whatever, whatever.

While ssh/openssh has a long history of bugs, both security-related and
otherwise (the deattack overrun, the recent off-by-one bug, a couple of
keyfile parsing bugs, the serverloop race, etc), it is widely deployed,
widely used (so bugs tend to get noticed/fixed pretty quickly), and even
if you don't pre-exchange hostkeys, it provides some protection, so right
now, it seems like the best general-purpose solution right now.

Maybe someday DNSSec will get deployed and become the generic keystore for
IPSec, allowing crypto to become ubiquitous for all applications, but in
the meantime, ssh seems like the best option.


 -Jason

 -----------------------------------------------------------------------
 I worry about my child and the Internet all the time, even though she's
 too young to have logged on yet.  Here's what I worry about.  I worry
 that 10 or 15 years from now, she will come to me and say "Daddy, where
 were you when they took freedom of the press away from the Internet?"
	-- Mike Godwin

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg

iD8DBQE8pbH+swXMWWtptckRAssLAJ93f9wh67cXQXB5RT1pX1De8dYr+gCgzHCP
7EKTylO5XIyuszTtdDz/blY=
=wVrF
-----END PGP SIGNATURE-----


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message