On 22 Dec, Chris BeHanna wrote:
> On Sat, 23 Dec 2000, David Preece wrote:
>
>> At 15:37 22/12/00 -0800, you wrote:
>>
>> >The question asked is: why you believe ssh is beter than say
>> >telnet. Or what advantages SSH has in general.
>>
>> Sorry, don't have time to reply to this properly.
>>
>> The main evil of ssh is that server authentication is not enforced,
>> making mounting a man-in-the-middle attack basically trivial.
>
> Man-in-the-middle or not, the fact that your data aren't
> transmitted in the clear automatically gives ssh a leg up over telnet,
> rsh, rlogin, and ftp. (At least one large company I know of has
> stated flatly, for example, that sending a root password over the wire
> in the clear is grounds for immediate termination.)
>
Is it possible to get the name of that company?
> You can certainly
> do your own server authentication, by carrying your known hosts file
> around on a floppy. ssh *does* warn you when you connect to a host
> that isn't present in your known hosts file--this isn't happening
> without your knowledge *and* consent.
>
Some people have stated that the "first contact" scenario is
difficult to over come. How do you feel about that?
> ssh may have its weaknesses, but telnet has little use other than
> as a diagnostic tool, IMHO (I only use it to send protocol commands to
> popd or sendmail these days). I'd *hardly* characterize ssh as "evil".
>
I don't beleive I've ever said SSH is evil. It seems to be
a common interpetation of the statement I made. I see that
I'll have to make note of that in my talk.
Are there any other points you feel might be either a "plus"
or "minus" in behalf of ssh?
Jessem.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
