RE: Secure Telnet

Mon, 05 Mar 2001 15:37:42 -0800 

> From: Michael T. Babcock [mailto:[EMAIL PROTECTED]]
> Sent: Monday, March 05, 2001 4:22 PM

> Richard Levitte - VMS Whacker wrote:

> > ... and SSH has issues.  They are possible to go around, but you have
> > to be aware of them.

> I have had no issues using OpenSSH at all.

Are you *aware* of the issues?  They're not obvious.  Richard's point is
completely correct.

Assuming Google ever gets the former Deja archives into a usable state, you
might want to check out some of Tom Wu's messages on sci.crypt discussing
possible attacks against SSH's anon key exchange.  Yes, SSH supports
stronger (ie. non-broken) authentication protocols, including SRP, and if
you use one SSH is fine.  But many people use anon key exchange because they
don't understand that there are issues with it.

> I understand that there are other products, but SSH is the 
> only one I've worked with enough to consider secure and stable.

Then perhaps your original statement ought to have been phrased differently.
If SSH is the only secure remote login system you've used, you're hardly in
a position to claim it's the only one anyone should use.

Personally, I just use the Telnet and FTP implementations that come with the
SRP distribution, because I'd be using SRP/EPS even if I were using SSH, so
why install a second package?  And the Telnet/FTP implementations in the SRP
package are compatible with non-SRP-enabled Telnet and FTP, so I have
backward compatibility.

If all someone needs is secure shared-secret authentication for Telnet and
FTP, SRP/EPS is a good way to go.  If they need public-key authentication as
well, then I'd recommend an SSL-enabled Telnet and FTP.  Which,
coincidentally, also comes with the SRP distribution.  And you get EPS,
which provides strong password hashing for platforms that lack it.

Michael Wojcik             [EMAIL PROTECTED]
MERANT
Department of English, Miami University
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to