From owner-freebsd-questions  Sun Oct 14 14:56:43 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from topaz.mdcc.cx (topaz.mdcc.cx [212.204.230.141])
	by hub.freebsd.org (Postfix) with ESMTP id A740637B409
	for <freebsd-questions@freebsd.org>; Sun, 14 Oct 2001 14:56:40 -0700 (PDT)
Received: from k7.mavetju.org (topaz.mdcc.cx [212.204.230.141])
	by topaz.mdcc.cx (Postfix) with ESMTP
	id A7B992B6A1; Sun, 14 Oct 2001 23:56:32 +0200 (CEST)
Received: by k7.mavetju.org (Postfix, from userid 1001)
	id 2AD03182; Mon, 15 Oct 2001 07:56:26 +1000 (EST)
Date: Mon, 15 Oct 2001 07:56:26 +1000
From: Edwin Groothuis <edwin@mavetju.org>
To: Marco Radzinschi <marco@radzinschi.com>
Cc: FreeBDS-Questions <freebsd-questions@freebsd.org>
Subject: Re: How safe is SSH?
Message-ID: <20011015075626.P2865@k7.mavetju.org>
Mail-Followup-To: Edwin Groothuis <edwin@mavetju.org>,
	Marco Radzinschi <marco@radzinschi.com>,
	FreeBDS-Questions <freebsd-questions@freebsd.org>
References: <20011014031023.J44696-100000@mail.radzinschi.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20011014031023.J44696-100000@mail.radzinschi.com>; from marco@radzinschi.com on Sun, Oct 14, 2001 at 03:14:31AM -0400
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Sun, Oct 14, 2001 at 03:14:31AM -0400, Marco Radzinschi wrote:
> 	I have my firewall blocking port 23 (telnet), but allowing port 22
> (SSH) to go through.  Now, this causes _SOME_ inconveniene when connecting
> from crappy windows machines without a SSH client on them.
> 
> My question, then, is how strong is SSH?
> Is it worth the extra trouble to not allow telnet?

It supports/gives you:
- an encrypted TCP session
- authentication of the remote host
- authentication of the user based on public/private key
- support for remote shell, remote copy and remote command

So yes, the additional features are worth the trouble of installing
SSH in favour of telnet/rsh/rexec/rcmd. But it requires some
education (and change) of the users.

A couple of months ago somebody said "SSH is insecure" and showed
it with a man-in-the-middle-attack. At that moment, he 'assumed'
that if people get the message "the identification of the remote
host has changed, the new identification is ..." they automaticly
say "is good, I accept the new identification". This is not a
problem with the SSH protocol, this is a problem with the user who
blindly clicks on yes in any dialogbox he gets.

Edwin

-- 
Edwin Groothuis   |              Personal website: http://www.MavEtJu.org
edwin@mavetju.org |           Interested in MUDs? Visit Fatal Dimensions:
------------------+                       http://www.FatalDimensions.org/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message