Re: Is ssh not safe?

• Previous message: Jeff Vian: "Re: rpm or pam bug?"
• In reply to: Michael Sullivan: "Is ssh not safe?"
• Next in thread: Scot L. Harris: "Re: Is ssh not safe?"
• Reply: Scot L. Harris: "Re: Is ssh not safe?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Sat, 24 Jul 2004 12:07:52 -0700
To: For users of Fedora Core releases <fedora-list@redhat.com>

--On Saturday, July 24, 2004 12:37 PM -0500 Michael Sullivan
<michael@espersunited.com> wrote:

> Most of my users access their accounts from outside
> the router (my network is based in my apartment and my wife and I are
> the only ones who use it here.) I don't users telnetting in because of
> the security risk (I don't quite understand this, but I've read about it
> in more than one place, so it's probably true), so I've enabled ssh so
> that they can log in and change their passwords if need be.

The issue here is trust in your "local" users, not ssh itself. Many of the
recent vulnerabilities in the Linux kernel and other packages require that
the attacker be logged in with shell access. If you don't provide shell
access, you can afford to ignore these kinds of vulnerabilities and reduce
the frequency that you patch the server. If you have untrusted shell users
then you need to be much more vigilant, because they can use those
vulnerabilities to escalate their privilege and root your box.

I use a hosting service that allows ssh, but as a matter of policy they
require that the user submit picture ID before enabling this access. It's a
hassle but I can understand this paranoia, as I operate servers myself.

You should never use telnet on a public interface. It exposes passwords in
clear text, and that means malicious sniffers could get a shell on your box
using the accounts of your trusted users. But ssh is not a panacea. Like
https (secure http), it protects your users, not the server itself.

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list

• Previous message: Jeff Vian: "Re: rpm or pam bug?"
• In reply to: Michael Sullivan: "Is ssh not safe?"
• Next in thread: Scot L. Harris: "Re: Is ssh not safe?"
• Reply: Scot L. Harris: "Re: Is ssh not safe?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: Did you hack into my UNIX server Bible Bob? ... try "traceroute" to see if the routes to your server are up. ... yet allow me to FTP and ssh in? ... firewall rules to block everything except for SSH traffic from one ... But that's not a shell question. ... (comp.unix.shell) Re: ssh and port 22 problem, cont. ... But unless you actually *use* them, an open telnet port is no more ... insecure than an open ssh port. ... * users have some assurance that they're connecting to the server they ... looking for vulnerabilities or brute-forcing passwords. ... (Fedora) Re: Putty: PSFTP connection without password prompt (CORRECT VERSION) ... you are sending files to a server running SSH ... SSH server. ... 'rssh' as the default user shell so that user cannot SSH into the ... > (I partially hidden some parts for security reasons). ... (comp.security.ssh) Re: Ssh problem ... when I ssh from one machine to another (both RedHat ... > return after exiting from the remote shell. ... process on the server side and try to exit, ... (RedHat) Re: Is ssh not safe? ... > the attacker be logged in with shell access. ... you can afford to ignore these kinds of vulnerabilities and reduce ... > https, it protects your users, not the server itself. ... from a chrooted environment. ... (Fedora)