From owner-freebsd-questions@FreeBSD.ORG  Sat May 10 04:30:35 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C68BC37B401
	for <questions@freebsd.org>; Sat, 10 May 2003 04:30:35 -0700 (PDT)
Received: from smtp803.mail.sc5.yahoo.com (smtp803.mail.sc5.yahoo.com
	[66.163.168.182])
	by mx1.FreeBSD.org (Postfix) with SMTP id 3B3E743FA3
	for <questions@freebsd.org>; Sat, 10 May 2003 04:30:35 -0700 (PDT)
	(envelope-from dbailey27@ameritech.net)
Received: from adsl-67-38-18-210.dsl.sfldmi.ameritech.net (HELO ameritech.net)
	(dbailey27@ameritech.net@67.38.18.210 with plain)
	by smtp-sbc-v1.mail.vip.sc5.yahoo.com with SMTP;
	10 May 2003 11:30:35 -0000
Message-ID: <3EBCF0AB.4080504@ameritech.net>
Date: Sat, 10 May 2003 07:29:31 -0500
From: northern snowfall <dbailey27@ameritech.net>
User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US;
	rv:0.9.4.1) Gecko/20020518 Netscape6/6.2.3
X-Accept-Language: en-us
MIME-Version: 1.0
To: questions@freebsd.org
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [Fwd: Re: Why is port 22 open by default?]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 10 May 2003 11:30:36 -0000

>
>
>Sounds like SSH is secure enough for me. Or is a 19 character password too 
>short? :-)
>
SSH is not secure. Forget paranoia, think about design
and implementation. You're better off using IPsec and
{OTP, Kerberos logins, S/Key, ... } for secure login
infrastructure in a UNIX environment. SSH code,
especially OpenSSH, has been proven exploitable too
much for most serious security analysts to keep using
it for security-intense networks. By exploitable, I
don't just mean injection and execution of malicious
code, but, weaknesses in the base crypto. At least
IPsec obfuscates the underlying authentication
protocol and isn't targetable as a program.
Don (north_)
http://deadchildren.org/

>