port-vax: Re: RE: VERY slow ssh logins to uVAX

Subject: Re: RE: VERY slow ssh logins to uVAX
To: None <port-vax@NetBSD.ORG>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: port-vax
Date: 05/05/2005 05:09:23
>> I don't know where you got the idea I was talking about trusted
>> LANs.  Perhaps you think all "single-user house LAN"s are trusted?
> Well, what I do know is that if you cannot trust a wired LAN in a
> private (i.e. non-public) location where there's only one user using
> it, then you've got much more serious problems than SSH alone can
> ever solve. :-)

True as far as it goes, I suppose.

I trust my house LAN in the sense that I don't think there are any
nefarious agents on it.  But by treating it as untrusted - such as by
using ssh internally rather than rsh - I am, to some extent, ensuring
that an attacker that cracks one machine won't be all through the
network moments later.

Yes, against an adversary of sufficient skill and preparedness, such a
measure is worthless.  But even if I am cracked, I *probably* will not
be up against "an adversary of sufficient skill and preparedness", and
every bit of bar-raising helps.

Besides, it gets me in the habit of using ssh for everything, which
means that when I do have occasion to use relatively untrusted networks
(such as roaming with my laptop), I am at least somewhat secure.

> However if you do insist on trying to run SSH on slow hardware like a
> uVAX then SSH-3.2.9.1 or similar is probably your best bet

I hadn't thought anything beyond version 2 had a spec yet even in the
form of I-Ds.  What am I missing?

> (I would strongly recommend avoiding SSHv1, the protocol, for the
> same reasons one might want to use SSH in the first place).

I have heard this said.  Despite asking on most of those occasions,
nobody has been able to name specific attacks that are a danger.

The only attacks I know of against ssh1 are either implementation
attacks against late implementations of it or social-engineering
attacks such as the MitM attack on first connections.  Or, of course,
attacks directly on the crypto itself, such as attempts to factor RSA
moduli.  What am I missing?

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B