Re: telnet replacement - not ssh?

From: Damian Menscher (menscher+security@uiuc.edu)
Date: 01/09/03


From: Damian Menscher <menscher+security@uiuc.edu>
Date: Thu, 09 Jan 2003 03:07:47 GMT

In comp.security.misc srt@nospam.unt.edu wrote:
> In comp.security.misc Kirt Loki Dankmyer <xiombarg@fnord.io.com> wrote:

> .... I suppose they could
> mount a "man-in-the-middle" attack if they *really* wanted to monitor
> you.

This got me thinking... they could set up a secure box that you can log
in to. You ssh to their box. Then ssh from that box to your systems.
They can monitor your keystrokes on their box.

> For a technical solution: There are versions of many standard
> utilities (rlogin, ftp, etc.) that replace the authentication with a
> Kerberos-based solution. I *think* (although I'm not sure) that these
> usually keep the main session unencrypted so your snoops can snoop.

Another technical solution is to see if there's something similar to
SecTP that works with a telnet-like connection. SecTP encrypts the
password, but not the data, for file transfer. As long as you don't
need to su, this might be sufficient.

> For a non-technical solution: Try to get your company to change its
> policy. To require poorly secured solutions simply so they can snoop
> is a completely asinine policy.

They're obviously not security people if they want logs of what
you're doing. But something that might appease them is if they can
get a copy of your .bash_history (or equivalent).

Personally, I'd just have ssh listen on a high-numbered port and
ignore the security "experts" in your organization.

Damian Menscher

-- 
-=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=-
-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=-
-=#| <menscher@uiuc.edu> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-