Bug#222382: ssh: warn user about a telnet session
On Fri, Nov 28, 2003 at 10:27:08AM -0200, Pedro Zorzenon Neto wrote:
> Package: ssh
> Version: 1:3.4p1-1
> Severity: wishlist
>
> Hi Matthew,
>
> I'd like ssh to send a warning message when I try to use it from
> inside a telnet session. I don't know if this is a good solution, but
> it is below (to be included in ssh "int main").
>
> Thanks,
> Pedro
>
> /* telnetd sets variable REMOTEHOST, lets check it */
> if (getenv("REMOTEHOST") != NULL) {
> printf("*** WARNING *** you are using ssh from inside a "
> "telnet session. Your password and data can be "
> "sniffed easily.\n");
> }
Thanks for the suggestion, but I think this is a bad idea, for a couple
of reasons:
* We shouldn't foster the expectation that ssh will warn you if your
environment is insecure; there are too many common situations where
that might happen and ssh can't detect it (for example,
ssh-over-ssh-over-telnet or ssh from an account you sometimes access
by FTP). Reporting just one of them is likely to foster a false
sense of security.
* It's possible to run telnet over IPSec, or telnet-ssl, neither of
which allows data to be sniffed, but both of which will set
$REMOTEHOST.
You're of course welcome to apply this to your local version of ssh, but
I think it would do more harm than good to apply it to the version
shipped by Debian.
Cheers,
--
Colin Watson [cjwatson@flatline.org.uk]
Reply to: