[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]


On Fri, Feb 09, 2001 at 10:31:41AM -0500, Adam Spickler wrote:
> SH2 is supposed to be more secure.  Stability, not sure about.  However, one thing to think about... someone can load the local "exploit" dsniff on your machine.  This makes ssh1 look as cleartext as telnet.  Fortunately, it hasn't been done for ssh2 yet.  Personally, I like using RSA keys.  Make sure to disable xauth, that's another security risk... etc, etc.


lets de-FUD this just a tad, the dsniff business is a man in the
middle attack, an attack that will ONLY succeed if the user ignores
ssh's very loud warnings about a changed host key upon initial
connection.  openssh won't even allow you to login to such a host
easily, and refuses to allow you to use password auth.  

the other case where that could suceed is if you fail to do any
verification of the host key you recieve when connecting to a host you
have never connected to before.   if you take care to verify host keys
and NEVER ignore warnings about changed keys.  contact the admin and
find out what happened and have him give you the key fingerprint so
you can verify you are getting the correct host key.  if you do this
you are not vulnerable to dsniff.  

reports of ssh1's death have been greatly exaggerated.  

Ethan Benson

Attachment: pgpR9WCb44sJz.pgp
Description: PGP signature

Reply to: