Berkeley CSUA MOTD:Entry 15574
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2025/07/09 [General] UID:1000 Activity:popular
7/9     

1999/3/10-11 [Computer/SW/Security] UID:15574 Activity:very high
3/9     Given all the network sniffing that goes on, how about turning off
        telnet and rlogin on soda and force everybody to use ssh?  I think
        the cost of dealing with ssh problems outweighs the consequences of
        a break-in.  What do you guys think?
        \_ no ssh installed on UCB dialup CLI connections
           \_ I honestly have to wonder how many people still use CLI
              from the annexen.  --sowings
              \_ All the lazy people who don't want to bother to setup ppp.
        \_ Discriminates against our non-US-citizen members who we legally
           aren't allowed to let use ssh/sshd.  (Stupid US goverment fucknuts)
           \_ sshh...you don't want to make fun of the US govt. They might
              be watching the motd and consficate soda.
           \_ You're wrong; the most popular implementations of SSH for all
              major platforms (Windows/Mac/Unix) are developed and sold
              outside of the US.  The US is starting to lag, not lead, in
              crypto software, because of crypto export laws.
                \_ So.  That has nothing to do with the CSUA violating the
                   law everytime it allows a non-citizen to use encryption
                   software - even if they downloaded ssh on their own, it's
                   useless without the sshd software running on soda.
           \_ I know of a supercomputer center run by the government and
              foreign users connecting to that system MUST use ssh.
              If it's OK for them, it's probably OK for soda.  --peterM
        \_ There is no free SSH client for Windoze, to my knowledge
           -muchandr
           \_ http://www.zip.com.au/~roca/ttssh.html --dim
           \_ F-Secure SSH seems to be free as well.
                \_ only for 30 day trial
           \_ Then you should look at http://www.net.lut.ac.uk/psst
                and learn much...
           \_ http://www.ocf.berkeley.edu/~tee/ssh
        \_ who cares?
                my ssh key into an sshd on a machine run my people i dont
                \-I think this is an insane idea. I dont want to type
                my ssh key into an sshd on a machine run by people i dont
                know and i dont trust ... and I would rather not set up a
                "low security" ssh key in addition to my regular one.
                given all the network sniffing that goes on, use rhosts
                and dont trust soda on machines you care about.
                What are you going to do about the XDM machines?
                I disagree with your cost-benefit analysis. The cost of a
                compromised passwd isnt that high. The cost of a compromised
                ssh key is high. For one thing, the hacker can hide from IDS
                systems. I wont go on any more. It was reasonable to float
                this balloon, but crazy to jump on it. --partha "i watch the
                net" banerjee
                \_ you never ever type your ssh-passphrase to
                   a remote process.  the remote sshd, when you use
                   RSAAuthentication, provides you a challenge to which you
                   respond.  That response is the equivalent  of doing an
                   RSA encrypt with your private key which the remote
                   sshd tries to decrypt with the public key you deposited
                   on the remote host earlier.  If what the remote sshd
                   obtained by decrypting your response  with your public
                   key and and the original challenge coincide, then you
                   are authenticated.  Of course, if you do not trust
                   RSA, and think someone may use your public key to obtain
                   your private key and the pass prase you use to further
                   protect it against local machine attacks, thats another
                   story. --jon
                \_ Oh great psb, please sniff my network in a sexual way.
                                -psb #1 fan
                   \_ Poser.   The real -psb #1 Fan
                \_ Uh, partha, you do realize that you don't need to use
                   RSA authentication to still get most of the benefits
                   of ssh.
                        \- yes but realistically you see more trojaned
                        clients and daemons than seq number or spoof attacks.
                        my point was this imposes a reasonable cost for people
                        who log in from a lot of different machines.
                        \_ It would be pretty obvious if you had logged into
                           a trojaned sshd server. In addition to the server
                           authenticating you the client also authenticates
                           the server and spews a nasty message if the
                           authentication fails.
                        \_ What do seq number or spoof attacks matter?  The
                           attacks we see daily on campus are packet sniffers.
                           ssh eliminates the threat of packet sniffing
                           script kiddies, whether or not you use RSA
                           authentication.  -tom
                           \_ I think he is saying that he believes one is
                              better off using rlogin and .rhosts as
                              attacks spoofing a connection from a
                              trusted host or attempting to hijack your
                              connection are rarer than trojan attacks.
                                --sky
                  \_ Do you passively sniff traffic or do you run the IDS
                  on a gateway and dynamically block packets?  If you are
                  just passively watching the traffic, until TCP/IP
                  stacks are standardized, your IDS can be circumvented 7
                  ways to sunday.  Its so easy to inject packets that will put
                  the IDS and the target host's stack in inconsistant states.
                  How do you deal with something as simple as TTL?  --sky "i
                  0wn j0r n3t w1th my 31337++ hAx0r sk1LLz" king
                        \-the TTL problems is in fact tricky and really
                basically intractible. i think we are cleverer than you
                think. i cant discuss exactly what we do, but if you have
                some attack based on ttls ot fragmentation or whatever,
                anything stealthy, as opposed to a flood/DoS, we would be
                interested in talking to you to see if you can evade our
                monitor. the commercial monitor cos are just interested in
                profit maximizing ... so if it would take a huge effort
                to fix something and lacking that one thing isnt hurting
                their sales much, then they wont fix it/ for example a major
                IDS which will remain nameless only keeps 3minutes of "state",
                which means if you just control-z a connection for 3min, you
                have probably evaded the monitor. anyway, if you are serious
                drop us a note. i am not going to publicly comment on the
                non-passive part of the monitoring. --psb
                \_ Yeah.  We have a whole library of scripts written
                   in a custom language for sending and receiving raw
                   net traffic that we use for OS fingerprinting,
                   firewall penetration testing, and IDS circumvention.
                   We have a collection of scripts whose purpose is to
                   exploit descripencies in stack implementation so that
                   the IDS and the target systems state become disjoint,
                   allowing us to insert evil data w/o the IDS detecting it.
                   It would be interesting to see how BRO handles under
                   these conditions.  --sky
                \_ "non-passive": guys in full-length black Kevlar suits
                   with BIG GUNS
                        \that's "big *fucking* guns" to you. --psb
                \_ Um, this whole conversation has me completely lost.
                   Any sources to strengthen my security/network fu?
        \_ How about just forcing telnetd/rlogind users to use one-time
           passwords until they can be elite enuf to use some kind of encrypted
           login system?
                \_Is using ssh w/o sshd a waste of time?
                  \_ sshd is the server; ssh is the client.. they're pretty
                     useless without each other.  You probably meant
                     "w/o ssh-agent" And no, ssh is still useful without
                     ssh-agent, whatever psb might think about the impossiblity
                     of ssh password authentication --dbushong
                        \-i dont even know what "the impossibility of ssh
                        passwd authentication means". the only think i said
                        was close if not actually impossible was for a passive
                        monitor upstream from a destination host to replicate
                        the stream it would see if it were in a different
                        point in "net space". aka "the TTL attack". --psb
                  \_ some silly places have ssh set up to automatically call
                     rlogin when the target host is not running sshd.  this
                     is a completely useless way to run ssh, and might
                     screw you one day when you're tired and not noticing that
                     this time your connection is not encrypted.
                     \_ You implied in your original post that you need to
                        generate an ssh key in order to use ssh, which is not
                        true.  --dbushong
                        \-BTW, is anyone familiar with the stuff at
                        <DEAD>srp.stanfraud.edu<DEAD>? --psb
                        \_ Yes.  mconst was thinking of patching it into
                           ssh one of these days.  --dbushong
ERROR, url_link recursive (eces.Colorado.EDU/secure/mindterm2) 2025/07/09 [General] UID:1000 Activity:popular
7/9     

You may also be interested in these entries...
2013/6/6-7/31 [Politics/Foreign/Asia/China, Computer/SW/Security] UID:54690 Activity:nil
6/6     Wow, NSA rocks. Who would have thought they had access to major
        data exchangers? I have much more respect for government workers,
        crypto experts, mathematicans now than ever.
        \_ flea to Hong Kong --> best dim-sum in the world
           \_ "flee"
        \_ The dumb ones work for DMV, the smart ones for the NSA. If you
	...
2012/8/26-11/7 [Computer/SW/Security] UID:54465 Activity:nil
8/26    Poll: how many of you pub/priv key users: 1) use private keys that
        are not password protected 2) password protect your private keys
        but don't use ssh-agent 3) use ssh-agent:
        1) .
        2) ..
        3) ...
	...
2012/8/29-11/7 [Computer/SW/Security] UID:54467 Activity:nil
8/29    There was once a CSUA web page which runs an SSH client for logging
        on to soda.  Does that page still exist?  Can someone remind me of the
        URL please?  Thx.
        \_ what do you mean? instruction on how to ssh into soda?
           \_ No I think he means the ssh applet, which, iirc, was an applet
              that implemented an ssh v1 client.  I think this page went away
	...
2012/9/24-11/7 [Computer/SW/Languages, Computer/SW/Unix] UID:54484 Activity:nil
9/24    How come changing my shell using ldapmodify (chsh doesn't work) doesn't
        work either? ldapsearch and getent show the new shell but I still get
        the old shell on login.
        \_ Scratch that, it magically took my new shell now. WTF?
           \_ probably nscd(8)
	...
2012/7/13-8/19 [Computer/SW/Security, Computer/Companies/Yahoo] UID:54436 Activity:nil
7/13    Why would Yahoo store passwords unencrypted?  I recall that even 20+
        years ago the passwords stored in /etc/passwd on instructional
        machines here at Cal were one-way encrypted.  (I think those were
        Ultrix machines.)
        \_ Doesn't this say anything already?
           http://finance.yahoo.com/echarts?s=YHOO+Interactive#symbol=yhoo;range=5y
	...
2011/4/27-7/30 [Computer/SW/Security, Computer/SW/Unix] UID:54096 Activity:nil
4/28    Will wall be fixed?   - jsl
        \_ What's wall?
           \_ An anachronism from a bygone era, when computers were hard to
              comeby, the dorms didn't have net, there was no airbears, and
              when phones didn't come standard with twitter or sms.
           \_ A non useful implementation of twitter.
	...
2011/5/19-7/30 [Computer/SW/Security] UID:54110 Activity:nil
5/19    Uh, is anyone still using this? Please mark here if you post and
        haven't added this yet. I'll start:
        \_ person k
        \_ ausman, I check in about once a week.
        \_ erikred, twice a week or so.
        \_ mehlhaff, I login when I actually own my home directory instead of
	...
2010/3/9-30 [Computer/HW/CPU, Computer/SW] UID:53748 Activity:nil
3/9     http://www.engadget.com/2010/03/09/1024-bit-rsa-encryption-cracked-by-carefully-starving-cpu-of-ele
        I failed to see why you must starve the CPU of electricity. Why
        can't you just simulate that in software?
        \_ And if you can simulate that in software, why not just single-
           stepping the simulated CPU and get the key out?
	...
2009/12/29-2010/1/19 [Computer/SW/Security] UID:53607 Activity:nil
12/29   Sounds like the GSM encryption key has been recovered via a
        brute force attack:
        http://www.nytimes.com/2009/12/29/technology/29hack.html
	...
2009/10/1-21 [Computer/SW/WWW/Browsers] UID:53417 Activity:moderate
10/1    I am thinking of installing firefox on soda under my home directory.
        Will this make me a hozer?
        \_ Possibly. I wonder if we should have another VM for that...btw,
           I remember someone saying they're glad we're not on FreeBSD
           anymore, but last I checked, a bunch of our stuff is on FreeBSD,
           but our login server is not.
	...
2009/7/12-24 [Computer/SW/Security] UID:53132 Activity:nil
7/9     Ok I'm learning how to do this fancy ssh-keygen thing so that I
        don't have to keep typing passwords inbetween logging into machines.
        What's an ideal size for the number of bits in dsa? 1024 is default,
        but would 2048 enhance it even more? What do you guys use?
        \_ I'm paranoid.  I use 4096.  Go for at least 2048, I'd say...
        \_ If you want to be secure make sure your keys have passphrases, and make
	...
Cache (3504 bytes)
www.zip.com.au/~roca/ttssh.html
This version provides some protection against traffic analysis by padding the transmitted SSH password with NULs. Only one of them affects TTSSH: 11 a vulnerability using IDEA. Therefore, it is now completely legal to use the standard "international" TTSSH package within the USA. This means anyone is now free to do almost anything they want with the source code. I've released the new version because I don't like depending on luck (and it should make some of the forwarding features work again). This includes several bug fixes and TIS authentication (thanks to Dean Thompson for help with that). I just don't have the resources to do it, especially since I can only work on it during the few weeks each year I'm outside the US, and that time is important to me for other reasons. I'd be happy for someone else to pick up the code and add it :-). I've fixed most of the known bugs, added proper support for X forwarding and UI for all the forwarding options, and added a couple of other doodads ("/ssh-autologin" option, in particular --- see the 14 documentation page for details. Also, it looks like it will be hard to integrate all its features into Teraterm without significantly modifying the design of the main Teraterm application. There's no way I'll have enough time overseas in the foreseeable future to undertake this project, sorry. Note that, due to an oversight, the version number in the file was not updated. Since I'm returning to the USA tomorrow, this will be the last release for several months unless an overseas maintainer is found. Non-SSH sessions used to crash at the end of the session. I released the debug version by mistake and it didn't work for many people. How to Obtain and Install TTSSH Currently TTSSH is only available for Win32 platforms (Windows 95 and NT). Again, I don't have the tools to compile it anywhere else, and someone else may be able to help. The following instructions will also serve to update an old version of TTSSH. The latest build of TTSSH requires this (this was an error in the build process, sorry). How to Use TTSSH There is now a 21 TTSSH documentation page. What the Government Wants You to Know This code contains cryptographic software covered by US ITAR regulations and by the laws of various countries. Its distribution and use may be restricted by these laws and regulations. In particular, it is probably illegal to make the binary code publically available at a US site. What I Want You to Know All the usual free software legalese applies. The software is provided entirely "as is", and use is entirely at the discretion and risk of the user. Who to Thank * This code started with Ian Goldberg's Top Gun SSH for the Pilot. The LIBEAY32 used by TTXSSH is a plain "out-of-the-box" build. That library is 1995-1996 Jean-loup Gailly and Mark Adler. Mileage with other platforms may vary, but I'm interested in getting bug reports. However, please only send me bug reports for the latest version of TTSSH! Known bugs: * Sometimes the remote host will disconnect and the window will not close even if you've specified "close window on disconnect". This happens when a dialog box or message box is showing when the disconnect is detected. This is actually a Teraterm "feature", and there's nothing I can do about it. What the Terms and Conditions Are You can download and use TTSSH for absolutely free. Note that the terms for the source package are a bit looser, so if you build your own version of TTSSH then you have even more rights.
Cache (241 bytes)
www.net.lut.ac.uk/psst -> www.lysator.liu.se/~nisse/lsh/
GNU sense) of the ssh version 2 protocol, currently being standardised by the IETF SECSH working group. This page should help you find any lsh related resources you need. Documentation The lsh source distribution comes with a texinfo manual.
Cache (93 bytes)
www.ocf.berkeley.edu/~tee/ssh
Mindbright employees (click on applet to get keyboard-focus). Java enabled home References 1.