From owner-freebsd-security  Tue May  7  0:25:10 2002
Delivered-To: freebsd-security@freebsd.org
Received: from borja.sarenet.es (borja.sarenet.es [192.148.167.77])
	by hub.freebsd.org (Postfix) with ESMTP id 01D9F37B409
	for <security@freebsd.org>; Tue,  7 May 2002 00:23:48 -0700 (PDT)
Received: from there (localhost [127.0.0.1])
	by borja.sarenet.es (8.12.3/8.12.3) with SMTP id g477NjR3025099;
	Tue, 7 May 2002 09:23:45 +0200 (CEST)
	(envelope-from borjam@sarenet.es)
Message-Id: <200205070723.g477NjR3025099@borja.sarenet.es>
Content-Type: text/plain;
  charset="iso-8859-1"
From: Borja Marcos <borjam@sarenet.es>
Organization: Sarenet S.A.
To: solarflux@ziplip.com
Subject: Re: Telnet Exploit
Date: Tue, 7 May 2002 09:23:44 +0200
X-Mailer: KMail [version 1.3.2]
References: <GTP3YE3JSQGUYEIE2F0SOTH3D3KQNJKUJJYERK0S@ziplip.com>
In-Reply-To: <GTP3YE3JSQGUYEIE2F0SOTH3D3KQNJKUJJYERK0S@ziplip.com>
Cc: security@freebsd.org
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Tuesday 07 May 2002 01:22, you wrote:
> Are you for real?  Have you ever sniffed a connection between two machi=
nes

=09Sure!

> using ssldump?  When looking at a telnet or ftp connection, it shows
> everything, clear as day.

=09It is obvious that ssh has many benefits. It encrypts the connection, =
and=20
you can use public keys to authenticate both parties. I am not silly.

> As long as OpenSSH exploits are fixed in a timely fashion, I consider s=
shd
> to be MUCH more secure than telnetd.  The zlib bug argument is pretty w=
eak.

=09I don't think it is weak. Software complexity is a serious danger. I w=
ould=20
prefer a simpler ssh service without frills, subject to a design process =
with=20
a strong focus on security. Do you think all the software used by OpenSSH=
 (or=20
other ssh implementations) has been thoroughly audited?

=09Hey, I use ssh years ago, and I always authenticate with public keys. =
It is=20
really useful, but I am worried with the current trends with software=20
complexity and reuse. It can lead to security problems.



=09Borja.

--=20
__________________________________________________________________
Borja Marcos                      * borjam@sarenet.es
Responsable de seguridad          * Tel: +34 944209470
SARENET S.A. -                    * Fax: +34 944209465
Parque Tecnologico, 103           * PGP KeyID: 0x50B24B8C
48170 - Zamudio (Bizkaia) SPAIN   *
__________________________________________________________________

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message