encrypt authentication credentials with payload in the clear?Re:
Ed Avis
ed at membled.com
Thu Mar 6 19:09:46 EST 2003
James Dennis <jdennis at law.harvard.edu> wrote:
[unencrypted traffic after initial authentication]
>If this is what they want, why use ssh?
Even if you don't want encryption, ssh is a much better choice than
telnet or rsh or any other alternative. The ssh and sshd code is
maintained and checked for buffer overruns and other security holes
unrelated to eavesdropping or hijacking a connection. I don't think
there is any decent implementation of telnetd or rshd still
maintained, even if there once was, because all the people who care
about security switched to ssh long ago.
Apart from security there are also convenience reasons to prefer
unencrypted-ssh over telnet or rsh - the user interface of the ssh
client is familiar, it supports port forwarding, only one daemon to
run instead of two (if you had ssh for encrypted and telnet for
unencrypted connections), and so on.
Please take it as a compliment that people are keen to use ssh and
sshd even without the added security provided by encrypting all
traffic.
Given that ssh long had a 'fall back to rsh' option I don't think it's
too unreasonable to ask for the ssh protocol with no encryption, which
will still be far better than running a crusty old rshd.
--
Ed Avis <ed at membled.com>
More information about the openssh-unix-dev
mailing list