Date: Sat, 30 Mar 2002 14:21:45 +0300 (MSK) From: ark@eltex.ru To: will@laserfence.net (Willie Viljoen) Cc: peter.lai@uconn.edu, ark@eltex.ru, cjc@FreeBSD.ORG, adamtuttle@sympatico.ca, security@FreeBSD.ORG Subject: Re: SSH or Telnet? Message-ID: <200203301121.OAA08311@paranoid.eltex.ru> In-Reply-To: <20020330111532.B508-100000@phoenix.vh.laserfence.net> from "Willie Viljoen" at Mar 30, 2002 11:20:48 AM
next in thread | previous in thread | raw e-mail | index | archive | help
nuqneH,
I always do check what system i am on when in doubt ;)
I can't drink so much to forget that ;)
BTW kerberized telnet does encrypt session too.
YOU (Willie Viljoen) WROTE:
>
> The problem is with more than just the cleartext password when you log
> in... it's cleartext everything.
>
> Consider this, you log in to your home PC, and get a prompt like this:
>
> %
>
> Now you telnet to a remote machine, log in with your clear text password,
> nobody sees anything, and it's not a very important machine anyway, just
> your office box which you want to instruct to download a file with its
> enormous bandwidth... no harm here.
>
> Now, you finished downloading, you get another prompt:
>
> %
>
> A few hours later you come home drunk from one wild party because you had
> to attend to some serious tech matter on some very important corporate
> webserver hosted in whoknowswhereville.
>
> You see your local box prompt:
>
> %
>
> You do this:
>
> % ssh some.very.important.corporate.server.in.whoknowswhereville.com
>
> You enter your password to authenticate, you're in and fix the problem, go
> to sleep, everything's fine.
>
> The next morning, that very important server in whoknowswhereville is
> hacked and not responding to SSH sessions, why?
>
> Consider this... when you got back from the party, the % prompt you saw
> was not of your local box, it was the prompt on the remote machine you
> telnetted to.
>
> When you entered your password for the very important server, it went in
> clear text to your remote box, and only encrypted with a session key from
> there. Some malicious brat who was playing with dad's computer at the
> office, supposedly not downloading porn, saw your password for the very
> important server and after you'd fixed the problem and logged off, he
> logged on.
>
> If that doesn't tell you that cleartext might be a bad thing, your cube is
> probably under a rock, away from the imperfect world we live in today.
>
> Will
>
> On Sat, 30 Mar 2002, Peter C. Lai wrote:
>
> > Wouldn't Kerberized Telnet or SRA authentication fix the
> > plaintext passwords problem?
> >
> > Of course, you'd have to make sure you don't telnet or su
> > from that session :)
> >
> > On Fri, Mar 29, 2002 at 02:45:59PM +0300, ark@eltex.ru wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > >
> > > What's wrong with telnet? I use it frequently and i am pretty satisified with
> > > it.
> > >
> > > (I don't need to encrypt sessions, there is no sensitive information inside.
> > > Don't tell me about cleartext passwords, there are no cleartext passwords.
> > > And if you really need encryption you may run telnet over ipsec)
> > >
> > > "Crist J. Clark" <cjc@FreeBSD.ORG> said :
> > >
> > > > On Thu, Mar 28, 2002 at 04:33:23PM -0500, Adam wrote:
> > > > > I would highly suggest that you use telnet. As long as you keep it updated
> > > > > and patched you shouldnt have any problems with it..
> > > >
> > > > Dude, pass whatever the hell you are smoking down here.
> > >
> > >
> > > _ _ _ _ _ _ _
> > > {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_
> > > (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_|
> > > [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one!
> > >
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: PGP 6.5.1i
> > >
> > > iQCVAwUBPKRT9qH/mIJW9LeBAQHW2QP/f5kQb2ikGqjdT/O321NJ56fWyW4IkMCe
> > > RU9dl1FU4lLhAKE5f625ZvRQVzCLwW1EwHXps13dGQHrWVsBGKziLNGFszcn1jHA
> > > K+xIKIxFA8hm4oWmw4ww2HLPU7hwHuGA7h/F+gh6nbnJuogRXVb+t8c3QdsSvDiA
> > > VoFXEmA3194=
> > > =urmJ
> > > -----END PGP SIGNATURE-----
> > >
> > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > with "unsubscribe freebsd-security" in the body of the message
> >
> >
>
> --
> Willie Viljoen
> Private IT Consultant
>
> 214 Paul Kruger Avenue
> Universitas
> Bloemfontein
> 9321
>
> South Africa
>
> +27 51 522 15 60, a/h +27 51 522 44 36
> +27 82 404 03 27
>
> will@laserfence.net
>
--
_ _ _ _ _ _ _
{::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_
(##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_|
[||] [||] [||] Do i believe in Bible? Hell,man,i've seen one!
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200203301121.OAA08311>