Bug#222382: ssh: warn user about a telnet session
On Wed, Jan 21, 2004 at 01:35:50AM +0000, Colin Watson wrote:
> On Fri, Nov 28, 2003 at 10:27:08AM -0200, Pedro Zorzenon Neto wrote:
> > Package: ssh
> > Version: 1:3.4p1-1
> > Severity: wishlist
> >
> > Hi Matthew,
> >
> > I'd like ssh to send a warning message when I try to use it from
> > inside a telnet session. I don't know if this is a good solution, but
> > it is below (to be included in ssh "int main").
> >
> > Thanks,
> > Pedro
> >
> > /* telnetd sets variable REMOTEHOST, lets check it */
> > if (getenv("REMOTEHOST") != NULL) {
> > printf("*** WARNING *** you are using ssh from inside a "
> > "telnet session. Your password and data can be "
> > "sniffed easily.\n");
> > }
>
> Thanks for the suggestion, but I think this is a bad idea, for a couple
> of reasons:
>
> * We shouldn't foster the expectation that ssh will warn you if your
> environment is insecure; there are too many common situations where
> that might happen and ssh can't detect it (for example,
> ssh-over-ssh-over-telnet or ssh from an account you sometimes access
> by FTP). Reporting just one of them is likely to foster a false
> sense of security.
>
> * It's possible to run telnet over IPSec, or telnet-ssl, neither of
> which allows data to be sniffed, but both of which will set
> $REMOTEHOST.
>
> You're of course welcome to apply this to your local version of ssh, but
> I think it would do more harm than good to apply it to the version
> shipped by Debian.
>
> Cheers,
>
> --
> Colin Watson [cjwatson@flatline.org.uk]
Hi Colin,
Thanks for your explanation. After reading your comments, I also
think it is a bad idea to apply to the Debian package. I'll use it in
my local machine only, since some users unfortunatelly try ssh in a
telnet session...
Thanks,
Pedro
Reply to: