From owner-freebsd-questions  Sun Oct 14 16:16:21 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from mail.tgd.net (rand.tgd.net [64.81.67.117])
	by hub.freebsd.org (Postfix) with SMTP id C636B37B409
	for <freebsd-questions@freebsd.org>; Sun, 14 Oct 2001 16:16:17 -0700 (PDT)
Received: (qmail 17944 invoked by uid 1001); 14 Oct 2001 23:16:13 -0000
Date: Sun, 14 Oct 2001 16:16:13 -0700
From: Sean Chittenden <sean@chittenden.org>
To: Edwin Groothuis <edwin@mavetju.org>
Cc: Marco Radzinschi <marco@radzinschi.com>,
	FreeBDS-Questions <freebsd-questions@freebsd.org>
Subject: Re: How safe is SSH?
Message-ID: <20011014161613.A17887@rand.tgd.net>
References: <20011014031023.J44696-100000@mail.radzinschi.com> <20011015075626.P2865@k7.mavetju.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20011015075626.P2865@k7.mavetju.org>; from "edwin@mavetju.org" on Mon, Oct 15, 2001 at = 07:56:26AM
X-PGP-Key: 0x1EDDFAAD
X-PGP-Fingerprint: C665 A17F 9A56 286C 5CFB 1DEA 9F4F 5CEF 1EDD FAAD
X-Web-Homepage: http://sean.chittenden.org/
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

> > 	I have my firewall blocking port 23 (telnet), but allowing port 22
> > (SSH) to go through.  Now, this causes _SOME_ inconveniene when connecting
> > from crappy windows machines without a SSH client on them.
> > 
> > My question, then, is how strong is SSH?
> > Is it worth the extra trouble to not allow telnet?
> 
> It supports/gives you:
> - an encrypted TCP session
> - authentication of the remote host
> - authentication of the user based on public/private key
> - support for remote shell, remote copy and remote command
> 
> So yes, the additional features are worth the trouble of installing
> SSH in favour of telnet/rsh/rexec/rcmd. But it requires some
> education (and change) of the users.

You can also toss on kerberos and get encrypted telnet, rsh, rcmd,
rexec, rcp commands... it takes more setup, but I've found them to be
quite nice.  Something to think about/consider.

-sc

-- 
Sean Chittenden

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message