Re: S/Key & OPIE Database Vulnerability

From: Eivind Eklund (eivindat_private)
Date: Fri Jan 28 2000 - 03:23:10 PST

Next message: Omachonu Ogali: "Re: Multicast from hell"

Previous message: Cedric Amand: "FTPPro has weird features - Fwd: Important matter for your abuse"
Maybe in reply to: Steve VanDevender: "S/Key & OPIE Database Vulnerability"
Next in thread: Jordan Ritter: "Re: S/Key & OPIE Database Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jan 27, 2000 at 09:40:35AM -0500, Brandon Palmer wrote:
> > Ultimately I wonder how much of a future S/Key has now that SSH and
> > similar utilities are widely deployed and provide much more
> > sophisticated protections, especially session encryption.
>
> I think there is definatly still a need.  There are many cases in which I
> am not on a machine what has ssh (ie some public telnet shell).  Though
> the session is not encrypted,  my password is still safe.  Until ssh-java
> shells are common,  s/key still has it's place.

This indicates a rather common misconception.  SSH-Java shells should
NOT make a public terminal trusted for your password; the TERMINAL is
insecure, and is rather likely to be running a keystroke logger.  SSH
only makes the connection from the box it runs on to the box in the
other end secure.

Eivind.

Next message: Omachonu Ogali: "Re: Multicast from hell"
Previous message: Cedric Amand: "FTPPro has weird features - Fwd: Important matter for your abuse"
Maybe in reply to: Steve VanDevender: "S/Key & OPIE Database Vulnerability"
Next in thread: Jordan Ritter: "Re: S/Key & OPIE Database Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:32:05 PDT