encrypt authentication credentials with payload in the clear?
Scott Bolte
listS+openssh-unix-dev at niss.com
Fri Mar 7 00:24:50 EST 2003
On Wed, 05 Mar 2003 09:25:43 -0500, James Dennis wrote:
>
> If this is what they want, why use ssh? Using SSH here will almost
> definitly create a false sense of security for people who aren't
> entirely sure whats going on. "Oh, our logins are encrypted? Cool." as
> they probably would't know the entire session can be encrypted.
Why use ssh? Because ssh definitely takes me where I want
to go. As I said in a separate message, I want to use forced
commands and public/private keys. As I work towards that
sophisticated and secure capability, I need stop-gap measures
to buy time to educate those organizations with a heavy
reliance on NIDS.
> I feel like sending traffic cleartext is just a bad idea accross the
> board. What if someone su's or logs into other systems or exposes
> database account credentials to something containing personal info
> and/or credit card numbers from those cleartext ssh sessions?!? ...
That's why I want to use forced commands which gain access
to a set of proxy services. The proxies will preclude the
inadvertent su, or the bare download of sensitive data.
Scott
More information about the openssh-unix-dev
mailing list