5/25 If IPv6 encrypts everything (IPSec) as part of the standard, does this
mean protocols like ssh would no longer be required? Will IPv6 allow
telnet and ftp and other cleartext password protocols to live on?
What use would there be for ssh if IPv6 was everywhere?
\- i realize i am "begging the hypothetical" but the "if ipv6
was everywhere [and interoperating nicely, with reasonable key
management, and transparancy]" is a pretty big if. "if ksh does
everything sh does and more, why do we still have sh?" etc. --psb
\_ It's a good question. I think the answer is mostly just
inertia and history.
\_ there will always be a need for application-level security
\_ What does ssh do for me that ipsec doesn't? IPv6 encrypts, it
compresses, QoS, and lots of other funs things. What does ssh
get me in a pure IPv6 world? (Yes, I know this will take a while
to happen, that's not my query). Don't get me wrong. I love
ssh and use it for all sorts of stuff. I'm just not seeing a
big role for it in IPv6.
\_ Authentication?
\_ I think a telnet prompt with memorised password is better
auth than the keys-on-disk ssh standard auth. I can steal
your private key. I can't read your mind.
\_ you can require a key on disk, and protect the
key with a passphrase
\_ Is stealing someone's private key easier than reading
their password out of the password file?
\_ Yes. And can be more useful.
\_ Of course -my- private key is encrypted. Go ahead and
steal it. As for memorized password, it can be easily
stolen as well with a use of a trojaned client or
server, and I have seen this happen many times.
\_ So you unencrypt your key before each use? Uh huh.
If the server or client is trojaned all is lost
anyway so it hardly matters what you use at that
point, does it?
\_ This is not true in general. It's easy to
authenticate yourself without revealing
your private key.
\_ Yes, man ssh-agent. And if your are not using
ssh-agent, then yes, you need to decrypt the
key every time you use it. Ssh client does this
for you. And yes, this is more secure because
you don't have to send neither your password
nor your private key to the remote ssh server.
\_ I think you don't understand how ssh-agent
or ssh itself works. ssh-agent is a local
key manager that makes it so you don't have
to retype your passphrase over and over for
each new connection. Nothing more. I'd
like to hear your explanation of how it
auths to the server without sending any
info.
\_ do you even know what PKI means?
\_ Same question: how are you doing auth
without sending someone something?
\_ i was speaking more broadly, e.g. SSL too. the main use
of app-level security is authentication and integrity
of data between app-level (not system-level) principals.
\_ Is something like app-level ssl necessary when the
underlying protocol (IPv6 in this case) deal with it?
\_ yes, particularly for distributed systems. not
only are there app-level principals that are not
known at the system level to auth/authz, but
you also want to reduce the extent of damage when
one part fails.
\_ Agent system, agent forwarding, x11 forwarding...
\_ BTW, IPSec has nothing to do with IPv6. Implementations of both
for *BSD systems happen to be codevelped by the same people
(kame.net), but IPv6 !=, is not a superset of, does not imply,
whathaveyou, IPSec.
\_ Well, true, but what I read implied that IPv6 is assumed to use
IPSec by default. |
http://csua.com/feed/