Re: telnet replacement - not ssh?

From: Damian Menscher (menscher+security@uiuc.edu)
Date: 01/09/03


From: Damian Menscher <menscher+security@uiuc.edu>
Date: Thu, 09 Jan 2003 03:07:47 GMT

In comp.security.misc srt@nospam.unt.edu wrote:
> In comp.security.misc Kirt Loki Dankmyer <xiombarg@fnord.io.com> wrote:

> .... I suppose they could
> mount a "man-in-the-middle" attack if they *really* wanted to monitor
> you.

This got me thinking... they could set up a secure box that you can log
in to. You ssh to their box. Then ssh from that box to your systems.
They can monitor your keystrokes on their box.

> For a technical solution: There are versions of many standard
> utilities (rlogin, ftp, etc.) that replace the authentication with a
> Kerberos-based solution. I *think* (although I'm not sure) that these
> usually keep the main session unencrypted so your snoops can snoop.

Another technical solution is to see if there's something similar to
SecTP that works with a telnet-like connection. SecTP encrypts the
password, but not the data, for file transfer. As long as you don't
need to su, this might be sufficient.

> For a non-technical solution: Try to get your company to change its
> policy. To require poorly secured solutions simply so they can snoop
> is a completely asinine policy.

They're obviously not security people if they want logs of what
you're doing. But something that might appease them is if they can
get a copy of your .bash_history (or equivalent).

Personally, I'd just have ssh listen on a high-numbered port and
ignore the security "experts" in your organization.

Damian Menscher

-- 
-=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=-
-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=-
-=#| <menscher@uiuc.edu> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-


Relevant Pages

  • Re: [Full-disclosure] Why Vulnerability Databases cant do everything
    ... best to relegate programming to a ... is a big difference between these two views of information security. ... but not nearly as important as designing secure systems. ... My favorite example to illustrate this point - ssh. ...
    (Bugtraq)
  • Questions on secure remote access to Fedora Core 2
    ... I am somewhat new to Internet security solutions in general and Linux ... I am setting up a server with Fedora Core 2 (there are specific reasons ... What is the most secure method I can use to give these individuals access ... under ssh. ...
    (comp.os.linux.security)
  • RE: Accessing the File server
    ... There'll always be a 'hitch' with security - even the most commonly-used ... 'secure' protocols occasionally will have security ... I'd recommend SSH as a secure way of sending files. ... I got file server Red Hat Linux that is accessible only inside from my ...
    (Security-Basics)
  • Re: Masking/Hiding a password in Perl Source
    ... While this is not a "secure" solution, obscuring the password or reading ... Using a protocol like SSH is ... This really is a false sense of security. ...
    (comp.lang.perl.misc)
  • Re: X Windows security
    ... I know that a machine is much less secure when X ... >How secure are vncserver sessions and X over ssh? ... Security Admin's Guide/Linux Security HOW-TO this evening. ... The How-To recommends using XDM. ...
    (Debian-User)