Date: Sun, 14 Oct 2001 00:45:29 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: Marco Radzinschi <marco@radzinschi.com> Cc: FreeBDS-Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: How safe is SSH? Message-ID: <20011014004529.C321@blossom.cjclark.org> In-Reply-To: <20011014031023.J44696-100000@mail.radzinschi.com>; from marco@radzinschi.com on Sun, Oct 14, 2001 at 03:14:31AM -0400 References: <20011014031023.J44696-100000@mail.radzinschi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Oct 14, 2001 at 03:14:31AM -0400, Marco Radzinschi wrote:
> Hello:
>
> I have my firewall blocking port 23 (telnet), but allowing port 22
> (SSH) to go through. Now, this causes _SOME_ inconveniene when connecting
> from crappy windows machines without a SSH client on them.
>
> My question, then, is how strong is SSH?
> Is it worth the extra trouble to not allow telnet?
>
> I know I will get the typical "NEVER use telnet," so I would like some
> figures as to how unbreakable SSH is.
telnet(8) typically goes unencrypted over the wire and there is no
authentication of the remote host. Anyone who can sniff the connection
sees everything (the thing of highest value will be passwords). It is
not really practical for anyone sniffing an SSH session to be able to
decrypt any data they gather passively. Passive sniffing is much more
difficult than a variety of other attacks, so you are pretty safe from
it.
But you are left defending from other attacks. The most
straightforward being a man-in-the-middle attack. The attacker cannot
be passive, but must actually be able to read and modify the data
stream. SSH has remote host authentication which can prevent this
attack, but it requires viligance by the user which always makes for
trouble. A man-in-the-middle attack is much harder to mount than a
passive attack and can be defeated by properly using SSH. telnetd(8)
has no mechanism to prevent a MITM attack, but why bother when you can
just do passive.
Finally, both sshd(8) and telnetd(8) share the possibility that their
may be bugs that allow an attacker to bypass all of the
authentification mechanisms. The bug in BSD-derived telnetd(8)s from
this July is an example. sshd(8) is a product of the OpenBSD project
who have a reputation for producing well audited code (how deserved
this is is up for debate), but then again, you might expect that
telnetd(8) has been around so long that most bugs would have been
shaken out by now too. There is no real advantage either way in this
respect. Neither has known bugs at this point, but either could have
vulnerabilities.
Letting anything through has some risk. Letting SSH through is much
less of a risk than telnet.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011014004529.C321>