Date: Sun, 14 Oct 2001 00:45:29 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: Marco Radzinschi <marco@radzinschi.com> Cc: FreeBDS-Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: How safe is SSH? Message-ID: <20011014004529.C321@blossom.cjclark.org> In-Reply-To: <20011014031023.J44696-100000@mail.radzinschi.com>; from marco@radzinschi.com on Sun, Oct 14, 2001 at 03:14:31AM -0400 References: <20011014031023.J44696-100000@mail.radzinschi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Oct 14, 2001 at 03:14:31AM -0400, Marco Radzinschi wrote: > Hello: > > I have my firewall blocking port 23 (telnet), but allowing port 22 > (SSH) to go through. Now, this causes _SOME_ inconveniene when connecting > from crappy windows machines without a SSH client on them. > > My question, then, is how strong is SSH? > Is it worth the extra trouble to not allow telnet? > > I know I will get the typical "NEVER use telnet," so I would like some > figures as to how unbreakable SSH is. telnet(8) typically goes unencrypted over the wire and there is no authentication of the remote host. Anyone who can sniff the connection sees everything (the thing of highest value will be passwords). It is not really practical for anyone sniffing an SSH session to be able to decrypt any data they gather passively. Passive sniffing is much more difficult than a variety of other attacks, so you are pretty safe from it. But you are left defending from other attacks. The most straightforward being a man-in-the-middle attack. The attacker cannot be passive, but must actually be able to read and modify the data stream. SSH has remote host authentication which can prevent this attack, but it requires viligance by the user which always makes for trouble. A man-in-the-middle attack is much harder to mount than a passive attack and can be defeated by properly using SSH. telnetd(8) has no mechanism to prevent a MITM attack, but why bother when you can just do passive. Finally, both sshd(8) and telnetd(8) share the possibility that their may be bugs that allow an attacker to bypass all of the authentification mechanisms. The bug in BSD-derived telnetd(8)s from this July is an example. sshd(8) is a product of the OpenBSD project who have a reputation for producing well audited code (how deserved this is is up for debate), but then again, you might expect that telnetd(8) has been around so long that most bugs would have been shaken out by now too. There is no real advantage either way in this respect. Neither has known bugs at this point, but either could have vulnerabilities. Letting anything through has some risk. Letting SSH through is much less of a risk than telnet. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011014004529.C321>