[ale] Known SSH exploits?

attriel attriel at d20boards.net
Mon Oct 14 23:11:19 EDT 2002


> My Guess:  Given the company in question, and their involvement with Fed
> contracts, the more likely case is that the company is abandoning
> external SSH access in favor of a easily maintained VPN solution.

at my job (also gov't, secure environment) they allow SSH and disallow
telnet.  Some of the sections even TCPWrapper their servers so that you
have to basically say "i will always log onto this server from this
machine." (which can be annoying if you want to just drop in and check
something).

I don't think they've blocked off telnet, but we're "not allowed" to use
it, even on-campus.  just SSH.

OTOH, we're "required" to use the distributed packages, not compile our
own (talk about painful for this slackware user in a redhat world :/) ..
and they blocked out HTTP ports, but not FTP SMTP LPR or RPC ... although
most of the admin groups go through and turn off those features unless
they're absolutely needed ... (yah, we're going to lock out HTTP b/c it's
a security hole, and the AIM authentication port for some reason, but
that's it ... *shakes head*)

You're probably right about them spooking after the openssl and openssh
exploits in the last couple months and deciding that it's unsafe (esp if
they're admin group or budget is really small so they can't stay on top of
things properly ...)

I'd talk to the security folks and find out what the beef with SSH is and
how to resolve it properly (rather than big-brush "SSH /bad/")

--attriel



---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list