[ale] Known SSH exploits?

James P. Kinney III jkinney at localnetsolutions.com
Mon Oct 14 08:58:28 EDT 2002 

Compared to the other alternatives, of which there is effectively none,
ssh is very secure. The beauty of open source is that people can access
the code and bang on it. 

During this process, holes are found. Recently, several holes were found
and very quickly fixed. 

There are 2 versions of ssh. v1 and v2. Avoid v1 for sensitive
application. v2 is understood very well and supplanted v1 due to v1's
limitations. 

A properly setup ssh v2 communications arena (system keys, user keys,
etc) will provide an environment that is secure enough for everything
but the highest levels of NSA spookware. If the systems are required to
have keys pre-installed before any connection is allowed (no "do you
want to accept this key with fingerprint...") then the systems will all
be known and that state of known will have required "proper access".

Even Microsoft's security (no laughing please) relies on the protocols
of ssh. They are well known algorithms. However, to my knowledge at this
time, M$ has yet to fix the known holes in their VPN system. Which is
the main other alternative to SSH. Since M$ also uses the algorithms
used in openssl, and has yet to patch the same handshaking protocol
error and openssl, M$ IIS is (surprise) vulnerable to the same type of
attack at the slapper worm. To my understanding, the same algorithm is
used in their VPN. Which makes trusting a M$ VPN client connection to a
secure network very, very difficult.

So as I see it, the choices are SSH V2, or run naked. (Not to disparage
any nudists on the list...) There is no other alternative that is
currently known good.

On Mon, 2002-10-14 at 07:26, Jeff Layton wrote:
> Good morning,
> 
>    Corporate security where I work (who shall remain nameless
> for the moment :) has decreed that SSH is to be outlawed because
> there are known exploits. I'm starting to do a little investigation
> on this issue, but I know there are some security experts on the
> list who might be able to shed some light on this (Bob T. are you
> there? :)
>    Just to add a little comedy to your morning, SSH is outlawed,
> but telnet is allowed and encouraged.
> 
> 
> TIA,
> 
> Jeff
> 
> 
> --
> 
> Jeff Layton
> Senior Engineer
> Lockheed-Martin Aeronautical Company - Marietta
> email: jeffrey.b.layton at lmco.com
> 
> "Is it possible to overclock a cattle prod?" - Irv Mullins
> 
> This email may contain confidential information. If you have received this
> email in error, please delete it immediately, and inform me of the mistake by
> return email. Any form of reproduction, or further dissemination of this
> email is strictly prohibited. Also, please note that opinions expressed in
> this email are those of the author, and are not necessarily those of the
> Lockheed-Martin Corporation.
> 
> 
> 
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.
-- 
James P. Kinney III   \Changing the mobile computing world/
President and CEO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 



 This is a digitally signed message part

More information about the Ale mailing list