Re: I do not get ssh. Why is it more secure?
- From: General Schvantzkoph <schvantzkoph@xxxxxxxxx>
- Date: 17 Jun 2010 13:44:39 GMT
On Thu, 17 Jun 2010 13:29:48 +0000, Douglas Mayne wrote:
On Thu, 17 Jun 2010 02:12:25 -0700, Todd wrote:
Hi All,telnet is worse in two ways:
With this command:
ssh -l todd -X 192.168.255.14 /usr/bin/VirtualBox
I can run VirtualBox console on another computer with X11. All I get is
asked for my password.
I don't get it. How is this any more secure that plain old telnet?
Both are just a user name and password. You could hack it the same old
way other services are hacked by running the dictionary at them. I do
believe OPH Crack over on the Windows side calls this "Rainbow tables".
I ask this because I will be needing to open SSH (port 22) for a vendor
to get in on. And, well, I just don't get the advantage of ssh over
anything else.
What am I missing? Is there a way to tighten ssh up?
Many thanks,
-T
1. The username/password pair is not encrypted and is sent in the clear
over the network.
2. Once the session is setup, that session's data is not encrypted and
is sent in the clear over the network.
At first glance, the second problem appears to be the main point of the
ssh program. That is, its job is to provide an encrypted tunnel to
protect the communications on the channel. However, the first problem is
also important. Security could be compromised if it were possible to
capture passwords in the clear- the same attack that works against
telnet. ssh authentication has been designed to avoid that pitfall.
ssh also allows multiple ways of authentication: shared secret
(password), public/private ssh keys, and others. The username/password
exchange does not send data in the clear, but as you note, it may still
be subject to brute force and dictionary attacks. To eliminate that
possibility, switch to using public/private authentication. There are
many tutorials on the web explaining how to do this. It takes some time
and practice to learn how to set this up, but it is worth it. Remember,
be careful not to lock yourself out while you are learning how to do it
correctly.
Also, for internet exposed hosts, consider installing a rate-limited
firewall rule against repeated login attempts from bad hosts. In a LAN
environment, a firewall rule is probably overkill. However, I still use
certificate authentication, though. I use it because it allows the ssh-
agent to automatically log me in without a password prompt.
If you disable password authentication I'm not sure that the firewall
rule is necessary, however if you do want to do that then the script
denyhosts is available as a package on Fedora and CentOS, I don't know
about other distros. I require RSA authentication and I use denyhosts,
but I also keep my pants up with both a belt and suspenders (that's for
real, it's not just an expression).
.
- Follow-Ups:
- Re: I do not get ssh. Why is it more secure?
- From: J G Miller
- Re: I do not get ssh. Why is it more secure?
- References:
- I do not get ssh. Why is it more secure?
- From: Todd
- Re: I do not get ssh. Why is it more secure?
- From: Douglas Mayne
- I do not get ssh. Why is it more secure?
- Prev by Date: Re: I do not get ssh. Why is it more secure?
- Next by Date: Re: I do not get ssh. Why is it more secure?
- Previous by thread: Re: I do not get ssh. Why is it more secure?
- Next by thread: Re: I do not get ssh. Why is it more secure?
- Index(es):
Relevant Pages
|
