[linux-elitists] telnet weenie frenzy!
Mon Feb 26 13:31:31 PST 2001
begin Bulent Murtezaoglu quotation:
> SSH is vulnerable to man-in-the-middle attacks in the deafault config
> installed by most of the disributions I know.
Once you look past the more sleazoid security columnists, you find the
following situation: (1) SSH provides no magic means to distribute host
keys. You must therefore either distribute them yourself, or decide
to trust that a new host key is not from a man-in-the-middle imposter.
In the latter case, the software will prominently warn you of the risk
you would assume in accepting the new host key. (2) If your connection
request encounters a changed host key, the software will again
prominently warn you that it may indicate that you've reached a
man-in-the-middle imposter, and not the desired destination system.
Thus, you can be bitten by imposter hosts, but only if someone has
stolen the host's (extremely secret) private key, or if you are
_really frigging stupid_ and ignore clear, succinct, in-your-face
> If you take careless system administration as a given, it is also
> vulnerable to dictionary attacks much like telnet (extrapolate to ftp
> for regular users).
Possibly, though I doubt you could open successive ssh sessions rapidly
enough for a useful attack of that nature. Also, the more-paranoid SSH
setups mandate RSA or DSA key-pairs and passphrases, rather than
> Anonymous read-only ftp is just as secure IMHO as http, if we can
> assume solid server software.
True -- where you don't need user logins. Please see also:
[distributions usually now have reasonable SSH packages:]
> Usually delivered by insecure methods.
True, as far as you're going, but if (e.g.) non-us.debian.org or its DNS
has been compromised and remain that way for any significant period,
then I and others have much bigger problems.
Cheers, We write precisely We say exactly
Rick Moen Since such is our habit in How to do a thing or how
firstname.lastname@example.org Talking to machines; Every detail works.
Excerpt from Prof. Touretzky's decss-haiku.txt @ http://www.cs.cmu.edu/~dst/
More information about the linux-elitists