[linux-elitists] telnet weenie frenzy!

Rick Moen rick@linuxmafia.com
Tue Feb 27 08:36:18 PST 2001


begin  Bulent Murtezaoglu quotation:

> D: If you assume link layer is safe on either end, this eavesdropping
> has to happen in the Internet at large in some intermediate router.
> If your adversary has access to IP level data stream, then you're
> likely to lose with ssh in default config also (man-in-the-middle).

Well, no.  As I was saying, this hysteria about man-in-the-middle
amounts to nothing more than "don't ignore any red-light warning
about unexpected changes of host key" combined with the _obvious_,
well-known need to deliver host keys in some out-of-band fashion.  

The fact that one semi-clued "security expert" saw fit to characterise
this situation as a "vulnerability" doesn't make it so.   

> Furthermore, given that you're most likely getting your ssh (and
> other) software through the Internet, your adversary does not even
> need to sniff anything...

Again, this isn't Devil's advocacy; it's Chicken Little-ism.  You talk
as if it were trivial to compromise the distribution channels for
even careful retrievers of security software, _and_ have that remain
undetected for significant periods of time.  You will find (e.g.) that
compromising either non-us.debian.org or its DNS, and remaining
undetected, is seriously difficult.

> Rick Moen corrected me on this (thanks).  The dictionary attack I had
> in mind was repeatedly trying username/password pairs through the net.
> I claimed ssh with user/password authentication was just as vulnerable
> to this as telnet given a negligent sysadmin.  I agree that it
> probably would not be practical because of the time it takes per try
> (true for both though).

It is true for both, but not _equally_ true:  Remote dictionary attacks
against an sshd would take vastly longer, because of the crypto
overhead.
 
> If your link layer is not safe, then you have a ton of additional problems.
> Disruptions and IP hijacking through creative ARPing (or creative
> use of arping(8)) come to mind.  

I should probably not attempt to parse and analyse this until after I've
had my morning coffee.  

> If you are convinced your telnet is vulnerable, apt-get install ssh
> will not necessarily protect you.

As the saying goes, security is a hard problem.  But I think you vastly
underestimate the difficulties attackers face in the scenarios you've
proposed.

-- 
Cheers,             We write precisely            We say exactly
Rick Moen           Since such is our habit in    How to do a thing or how
rick@linuxmafia.com Talking to machines;          Every detail works.
Excerpt from Prof. Touretzky's decss-haiku.txt @ http://www.cs.cmu.edu/~dst/



More information about the linux-elitists mailing list