From owner-freebsd-questions Sun Oct 14 0:45:49 2001 Delivered-To: freebsd-questions@freebsd.org Received: from gull.mail.pas.earthlink.net (gull.mail.pas.earthlink.net [207.217.121.85]) by hub.freebsd.org (Postfix) with ESMTP id F1BE737B403 for ; Sun, 14 Oct 2001 00:45:44 -0700 (PDT) Received: from blossom.cjclark.org (dialup-209.247.139.8.Dial1.SanJose1.Level3.net [209.247.139.8]) by gull.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id AAA24301; Sun, 14 Oct 2001 00:45:39 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id f9E7jTm00765; Sun, 14 Oct 2001 00:45:29 -0700 (PDT) (envelope-from cjc) Date: Sun, 14 Oct 2001 00:45:29 -0700 From: "Crist J. Clark" To: Marco Radzinschi Cc: FreeBDS-Questions Subject: Re: How safe is SSH? Message-ID: <20011014004529.C321@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011014031023.J44696-100000@mail.radzinschi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011014031023.J44696-100000@mail.radzinschi.com>; from marco@radzinschi.com on Sun, Oct 14, 2001 at 03:14:31AM -0400 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Oct 14, 2001 at 03:14:31AM -0400, Marco Radzinschi wrote: > Hello: > > I have my firewall blocking port 23 (telnet), but allowing port 22 > (SSH) to go through. Now, this causes _SOME_ inconveniene when connecting > from crappy windows machines without a SSH client on them. > > My question, then, is how strong is SSH? > Is it worth the extra trouble to not allow telnet? > > I know I will get the typical "NEVER use telnet," so I would like some > figures as to how unbreakable SSH is. telnet(8) typically goes unencrypted over the wire and there is no authentication of the remote host. Anyone who can sniff the connection sees everything (the thing of highest value will be passwords). It is not really practical for anyone sniffing an SSH session to be able to decrypt any data they gather passively. Passive sniffing is much more difficult than a variety of other attacks, so you are pretty safe from it. But you are left defending from other attacks. The most straightforward being a man-in-the-middle attack. The attacker cannot be passive, but must actually be able to read and modify the data stream. SSH has remote host authentication which can prevent this attack, but it requires viligance by the user which always makes for trouble. A man-in-the-middle attack is much harder to mount than a passive attack and can be defeated by properly using SSH. telnetd(8) has no mechanism to prevent a MITM attack, but why bother when you can just do passive. Finally, both sshd(8) and telnetd(8) share the possibility that their may be bugs that allow an attacker to bypass all of the authentification mechanisms. The bug in BSD-derived telnetd(8)s from this July is an example. sshd(8) is a product of the OpenBSD project who have a reputation for producing well audited code (how deserved this is is up for debate), but then again, you might expect that telnetd(8) has been around so long that most bugs would have been shaken out by now too. There is no real advantage either way in this respect. Neither has known bugs at this point, but either could have vulnerabilities. Letting anything through has some risk. Letting SSH through is much less of a risk than telnet. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message