3/9 Given all the network sniffing that goes on, how about turning off
telnet and rlogin on soda and force everybody to use ssh? I think
the cost of dealing with ssh problems outweighs the consequences of
a break-in. What do you guys think?
\_ no ssh installed on UCB dialup CLI connections
\_ I honestly have to wonder how many people still use CLI
from the annexen. --sowings
\_ All the lazy people who don't want to bother to setup ppp.
\_ Discriminates against our non-US-citizen members who we legally
aren't allowed to let use ssh/sshd. (Stupid US goverment fucknuts)
\_ sshh...you don't want to make fun of the US govt. They might
be watching the motd and consficate soda.
\_ You're wrong; the most popular implementations of SSH for all
major platforms (Windows/Mac/Unix) are developed and sold
outside of the US. The US is starting to lag, not lead, in
crypto software, because of crypto export laws.
\_ So. That has nothing to do with the CSUA violating the
law everytime it allows a non-citizen to use encryption
software - even if they downloaded ssh on their own, it's
useless without the sshd software running on soda.
\_ I know of a supercomputer center run by the government and
foreign users connecting to that system MUST use ssh.
If it's OK for them, it's probably OK for soda. --peterM
\_ There is no free SSH client for Windoze, to my knowledge
-muchandr
\_ http://www.zip.com.au/~roca/ttssh.html --dim
\_ F-Secure SSH seems to be free as well.
\_ only for 30 day trial
\_ Then you should look at http://www.net.lut.ac.uk/psst
and learn much...
\_ http://www.ocf.berkeley.edu/~tee/ssh
\_ who cares?
my ssh key into an sshd on a machine run my people i dont
\-I think this is an insane idea. I dont want to type
my ssh key into an sshd on a machine run by people i dont
know and i dont trust ... and I would rather not set up a
"low security" ssh key in addition to my regular one.
given all the network sniffing that goes on, use rhosts
and dont trust soda on machines you care about.
What are you going to do about the XDM machines?
I disagree with your cost-benefit analysis. The cost of a
compromised passwd isnt that high. The cost of a compromised
ssh key is high. For one thing, the hacker can hide from IDS
systems. I wont go on any more. It was reasonable to float
this balloon, but crazy to jump on it. --partha "i watch the
net" banerjee
\_ you never ever type your ssh-passphrase to
a remote process. the remote sshd, when you use
RSAAuthentication, provides you a challenge to which you
respond. That response is the equivalent of doing an
RSA encrypt with your private key which the remote
sshd tries to decrypt with the public key you deposited
on the remote host earlier. If what the remote sshd
obtained by decrypting your response with your public
key and and the original challenge coincide, then you
are authenticated. Of course, if you do not trust
RSA, and think someone may use your public key to obtain
your private key and the pass prase you use to further
protect it against local machine attacks, thats another
story. --jon
\_ Oh great psb, please sniff my network in a sexual way.
-psb #1 fan
\_ Poser. The real -psb #1 Fan
\_ Uh, partha, you do realize that you don't need to use
RSA authentication to still get most of the benefits
of ssh.
\- yes but realistically you see more trojaned
clients and daemons than seq number or spoof attacks.
my point was this imposes a reasonable cost for people
who log in from a lot of different machines.
\_ It would be pretty obvious if you had logged into
a trojaned sshd server. In addition to the server
authenticating you the client also authenticates
the server and spews a nasty message if the
authentication fails.
\_ What do seq number or spoof attacks matter? The
attacks we see daily on campus are packet sniffers.
ssh eliminates the threat of packet sniffing
script kiddies, whether or not you use RSA
authentication. -tom
\_ I think he is saying that he believes one is
better off using rlogin and .rhosts as
attacks spoofing a connection from a
trusted host or attempting to hijack your
connection are rarer than trojan attacks.
--sky
\_ Do you passively sniff traffic or do you run the IDS
on a gateway and dynamically block packets? If you are
just passively watching the traffic, until TCP/IP
stacks are standardized, your IDS can be circumvented 7
ways to sunday. Its so easy to inject packets that will put
the IDS and the target host's stack in inconsistant states.
How do you deal with something as simple as TTL? --sky "i
0wn j0r n3t w1th my 31337++ hAx0r sk1LLz" king
\-the TTL problems is in fact tricky and really
basically intractible. i think we are cleverer than you
think. i cant discuss exactly what we do, but if you have
some attack based on ttls ot fragmentation or whatever,
anything stealthy, as opposed to a flood/DoS, we would be
interested in talking to you to see if you can evade our
monitor. the commercial monitor cos are just interested in
profit maximizing ... so if it would take a huge effort
to fix something and lacking that one thing isnt hurting
their sales much, then they wont fix it/ for example a major
IDS which will remain nameless only keeps 3minutes of "state",
which means if you just control-z a connection for 3min, you
have probably evaded the monitor. anyway, if you are serious
drop us a note. i am not going to publicly comment on the
non-passive part of the monitoring. --psb
\_ Yeah. We have a whole library of scripts written
in a custom language for sending and receiving raw
net traffic that we use for OS fingerprinting,
firewall penetration testing, and IDS circumvention.
We have a collection of scripts whose purpose is to
exploit descripencies in stack implementation so that
the IDS and the target systems state become disjoint,
allowing us to insert evil data w/o the IDS detecting it.
It would be interesting to see how BRO handles under
these conditions. --sky
\_ "non-passive": guys in full-length black Kevlar suits
with BIG GUNS
\that's "big *fucking* guns" to you. --psb
\_ Um, this whole conversation has me completely lost.
Any sources to strengthen my security/network fu?
\_ How about just forcing telnetd/rlogind users to use one-time
passwords until they can be elite enuf to use some kind of encrypted
login system?
\_Is using ssh w/o sshd a waste of time?
\_ sshd is the server; ssh is the client.. they're pretty
useless without each other. You probably meant
"w/o ssh-agent" And no, ssh is still useful without
ssh-agent, whatever psb might think about the impossiblity
of ssh password authentication --dbushong
\-i dont even know what "the impossibility of ssh
passwd authentication means". the only think i said
was close if not actually impossible was for a passive
monitor upstream from a destination host to replicate
the stream it would see if it were in a different
point in "net space". aka "the TTL attack". --psb
\_ some silly places have ssh set up to automatically call
rlogin when the target host is not running sshd. this
is a completely useless way to run ssh, and might
screw you one day when you're tired and not noticing that
this time your connection is not encrypted.
\_ You implied in your original post that you need to
generate an ssh key in order to use ssh, which is not
true. --dbushong
\-BTW, is anyone familiar with the stuff at
<DEAD>srp.stanfraud.edu<DEAD>? --psb
\_ Yes. mconst was thinking of patching it into
ssh one of these days. --dbushong |
http://csua.com/feed/