encrypt authentication credentials with payload in the clear?

Scott Bolte listS+openssh-unix-dev at niss.com
Fri Mar 7 00:24:50 EST 2003

On Wed, 05 Mar 2003 09:25:43 -0500, James Dennis wrote:
> If this is what they want, why use ssh? Using SSH here will almost 
> definitly create a false sense of security for people who aren't 
> entirely sure whats going on. "Oh, our logins are encrypted? Cool." as 
> they probably would't know the entire session can be encrypted.

	Why use ssh? Because ssh definitely takes me where I want
	to go. As I said in a separate message, I want to use forced
	commands and public/private keys. As I work towards that
	sophisticated and secure capability, I need stop-gap measures
	to buy time to educate those organizations with a heavy
	reliance on NIDS.

> I feel like sending traffic cleartext is just a bad idea accross the 
> board. What if someone su's or logs into other systems or exposes 
> database account credentials to something containing personal info 
> and/or credit card numbers from those cleartext ssh sessions?!? ...

	That's why I want to use forced commands which gain access
	to a set of proxy services. The proxies will preclude the
	inadvertent su, or the bare download of sensitive data.


More information about the openssh-unix-dev mailing list