From: "Russ Cox" <rsc@plan9.bell-labs.com>
To: 9fans@cse.psu.edu
Subject: Re: [9fans] SSH Version2
Date: Tue, 8 Oct 2002 01:25:10 -0400 [thread overview]
Message-ID: <84f3667256e3e5270adb691c365ab243@plan9.bell-labs.com> (raw)
> on the comment about ssh2, it was made more complicated specifically so
> it would be harder to break, and said theory has held true because as
NO NO NO. It happened to be made more complicated.
Things that are more complicated are not necessarily harder
to break, and often easier to break. Making it more
complicated was very likely not a design goal.
> you said yourself, the ettercap guys havent figured it out yet. i want it
Not true. The ettercap guys haven't implemented it yet.
That's not the same as haven't figured it out yet.
The MITM attack remains the same. They haven't implemented SSH2
support, just like we haven't. This is very VERY different.
> to be difficult for someone to get my username and password, impossible
> is not an option yet, but one can certainly make it more difficult.
Impossible _is_ an option (modulo the attacker just happening to guess
the right password or key, which is unavoidable).
Also, don't use SSH in password mode. Use it with public keys
or with challenge/response. Not as good as PAK, but much better
than sending a password.
> network you trust (or are ignorant of). the idea behind ssh and all other
> tools like it, is so you can work on a network you dont entirely trust,
> if we always trusted networks we'd use telnet.
There's a difference between working on a network you don't entirely
trust and working on a network that is a complete unknown to you.
If you're that paranoid, just get the host keys via an out-of-band
mechanism, and you'll never have a problem.
I mean, come on. What kind of paranoid are you if you ignore messages like:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA1 host key has just been changed.
The fingerprint for the RSA1 key sent by the remote host is
2e:0e:82:ba:a3:d0:00:9a:ba:6d:87:e3:e0:b6:22:88.
Please contact your system administrator.
Add correct host key in /home/ny3/rsc/.ssh/known_hosts to get rid of this message.
Offending key in /home/ny3/rsc/.ssh/known_hosts:33
RSA1 host key for labrador.eecs.harvard.edu has changed and you have requested strict checking.
Host key verification failed.
Russ
next reply other threads:[~2002-10-08 5:25 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-10-08 5:25 Russ Cox [this message]
2002-10-08 6:16 ` Andrew
-- strict thread matches above, loose matches on Subject: below --
2002-10-07 18:09 Eric Grosse
2002-10-08 2:11 ` William K. Josephson
2002-10-07 16:31 Russ Cox
2002-10-07 16:21 Russ Cox
2002-10-07 16:57 ` Andrew
2002-10-08 2:16 ` William K. Josephson
2002-10-08 4:14 ` Andrew
2002-10-08 4:25 ` William Josephson
2002-10-04 23:44 Russ Cox
2002-10-07 10:42 ` Jeff Sickel
2002-10-07 12:51 ` Markus Friedl
2002-10-07 16:02 ` Andrew
2002-10-07 17:00 ` Markus Friedl
2002-10-04 23:43 Adrian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=84f3667256e3e5270adb691c365ab243@plan9.bell-labs.com \
--to=rsc@plan9.bell-labs.com \
--cc=9fans@cse.psu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).