VPN question (ssh)

Fraser Campbell fraser-Txk5XLRqZ6CsTnJN9+BGXg at public.gmane.org
Sun Dec 21 13:20:53 UTC 2003 

On December 21, 2003 03:50 am, you wrote:

> > Also encryption doesn't stop people from being dumb.  For example
> > allowing password based authentication with sshd leaves a rather weak
> > link in the chain (depending on users to use good passwords), IWO if you
> > use strong encryption with weak authentication you might as well not
> > bother.
>
> but the password is encrypted in transfer right?  maybe i'm wrong about
> this, but doesn't ssh use asymetric encryption initially, then symetric
> after the session key is established?

Yes, your username and password are encrypted in transit.  My point was that 
if you allow password authentication and your root password is g0d, all the 
encryption in the world cannot protect you.  Better to make the 
authentication barrier a lot higher ... require key based authentication, 
ensure that all private keys are passphrase protected, don't allow root login 
unless it's essential, restrict access to ssh by ip if it doesn't cause too 
much heartache, etc.

Another example would be with VPNs.  Let's say Justin Inc. installed a VPN, 
employees gotta have access from home after all!  Now your poor employees 
can't handle installing X.509 certificates, it's too much work for you to 
manage them and  ahh who cares it's all encrypted anyway.  So in the interest 
of keeping things simple you setup pre-shared key authentication with a 
pre-shared key of "justin's vpn" ... you've now created a solution where the 
data is secure in transit but very insecure in other ways.  Authentication 
barrier is low, guesswork can potentially lead an attacker to full vpn access 
to your network.

Secure webservers are another example. image a "secure" webserver that allows 
telnet access from all over the Internet, that stores credit cards in an 
unencrypted form in a database, etc.  Sure the data in transit is tough to 
get at but the data at rest is easy pickings.

Anyway, now I'm rambling about stuff that likely had nothing to do with your 
original question, time to go fishing :-)
-- 
Fraser Campbell <fraser-Txk5XLRqZ6CsTnJN9+BGXg at public.gmane.org>                 http://www.wehave.net/
Georgetown, Ontario, Canada                               Debian GNU/Linux

--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list