From owner-freebsd-security Sat Mar 30 3: 1:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from portal.eltex.ru (eltex-gw2.nw.ru [195.19.203.86]) by hub.freebsd.org (Postfix) with ESMTP id 8FDE737B404; Sat, 30 Mar 2002 03:01:47 -0800 (PST) Received: (from root@localhost) by portal.eltex.ru (8.11.6/8.11.3) id g2UB1Kp41306; Sat, 30 Mar 2002 14:01:20 +0300 (MSK) (envelope-from ark@eltex.ru) Received: from yaksha.eltex.ru (root@yaksha.eltex.ru [195.19.198.2]) by portal.eltex.ru (8.11.6/8.11.3av) with SMTP id g2UB1Cl41298; Sat, 30 Mar 2002 14:01:12 +0300 (MSK) (envelope-from ark@eltex.ru) From: ark@eltex.ru Received: by yaksha.eltex.ru (ssmtp TIS-1.1alpha, 17 Jan 2002); Sat, 30 Mar 2002 13:45:25 +0300 Received: from undisclosed-intranet-sender id smtpdhj9882; Sat Mar 30 13:45:21 2002 Message-Id: <200203301121.OAA08311@paranoid.eltex.ru> Subject: Re: SSH or Telnet? To: will@laserfence.net (Willie Viljoen) Date: Sat, 30 Mar 2002 14:21:45 +0300 (MSK) Cc: peter.lai@uconn.edu, ark@eltex.ru, cjc@FreeBSD.ORG, adamtuttle@sympatico.ca, security@FreeBSD.ORG Reply-To: ark@eltex.ru In-Reply-To: <20020330111532.B508-100000@phoenix.vh.laserfence.net> from "Willie Viljoen" at Mar 30, 2002 11:20:48 AM X-Mailer: ELM [version 2.5 PL3] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by Eltex TC Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org nuqneH, I always do check what system i am on when in doubt ;) I can't drink so much to forget that ;) BTW kerberized telnet does encrypt session too. YOU (Willie Viljoen) WROTE: > > The problem is with more than just the cleartext password when you log > in... it's cleartext everything. > > Consider this, you log in to your home PC, and get a prompt like this: > > % > > Now you telnet to a remote machine, log in with your clear text password, > nobody sees anything, and it's not a very important machine anyway, just > your office box which you want to instruct to download a file with its > enormous bandwidth... no harm here. > > Now, you finished downloading, you get another prompt: > > % > > A few hours later you come home drunk from one wild party because you had > to attend to some serious tech matter on some very important corporate > webserver hosted in whoknowswhereville. > > You see your local box prompt: > > % > > You do this: > > % ssh some.very.important.corporate.server.in.whoknowswhereville.com > > You enter your password to authenticate, you're in and fix the problem, go > to sleep, everything's fine. > > The next morning, that very important server in whoknowswhereville is > hacked and not responding to SSH sessions, why? > > Consider this... when you got back from the party, the % prompt you saw > was not of your local box, it was the prompt on the remote machine you > telnetted to. > > When you entered your password for the very important server, it went in > clear text to your remote box, and only encrypted with a session key from > there. Some malicious brat who was playing with dad's computer at the > office, supposedly not downloading porn, saw your password for the very > important server and after you'd fixed the problem and logged off, he > logged on. > > If that doesn't tell you that cleartext might be a bad thing, your cube is > probably under a rock, away from the imperfect world we live in today. > > Will > > On Sat, 30 Mar 2002, Peter C. Lai wrote: > > > Wouldn't Kerberized Telnet or SRA authentication fix the > > plaintext passwords problem? > > > > Of course, you'd have to make sure you don't telnet or su > > from that session :) > > > > On Fri, Mar 29, 2002 at 02:45:59PM +0300, ark@eltex.ru wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > > > What's wrong with telnet? I use it frequently and i am pretty satisified with > > > it. > > > > > > (I don't need to encrypt sessions, there is no sensitive information inside. > > > Don't tell me about cleartext passwords, there are no cleartext passwords. > > > And if you really need encryption you may run telnet over ipsec) > > > > > > "Crist J. Clark" said : > > > > > > > On Thu, Mar 28, 2002 at 04:33:23PM -0500, Adam wrote: > > > > > I would highly suggest that you use telnet. As long as you keep it updated > > > > > and patched you shouldnt have any problems with it.. > > > > > > > > Dude, pass whatever the hell you are smoking down here. > > > > > > > > > _ _ _ _ _ _ _ > > > {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ > > > (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| > > > [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! > > > > > > -----BEGIN PGP SIGNATURE----- > > > Version: PGP 6.5.1i > > > > > > iQCVAwUBPKRT9qH/mIJW9LeBAQHW2QP/f5kQb2ikGqjdT/O321NJ56fWyW4IkMCe > > > RU9dl1FU4lLhAKE5f625ZvRQVzCLwW1EwHXps13dGQHrWVsBGKziLNGFszcn1jHA > > > K+xIKIxFA8hm4oWmw4ww2HLPU7hwHuGA7h/F+gh6nbnJuogRXVb+t8c3QdsSvDiA > > > VoFXEmA3194= > > > =urmJ > > > -----END PGP SIGNATURE----- > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > -- > Willie Viljoen > Private IT Consultant > > 214 Paul Kruger Avenue > Universitas > Bloemfontein > 9321 > > South Africa > > +27 51 522 15 60, a/h +27 51 522 44 36 > +27 82 404 03 27 > > will@laserfence.net > -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message