Subject: Re: ssh - are you nuts?!?
To: Cheryl Trooskin <>
From: Jason R Thorpe <>
List: tech-security
Date: 12/17/2000 10:57:00
On Sun, Dec 17, 2000 at 02:29:44AM -0800, Cheryl Trooskin wrote:

 > On the other hand, as I'm moving towards mandating it on a server I run,
 > the false sense of security that ssh creates in some people scares the
 > heck out of me.  Us using ssh doesn't mean that any other of our
 > security measures are going away (to some people's disappointment (!)).

False sense?  It provides very real security in most environments in
which its used.

 > ssh addresses a very specific issue.  The fact that it doesn't address
 > the same issues that, say, a one-time passwords solution does isn't
 > a flaw, but the attitude I've run into that "ssh answers the password
 > security question" is one I find very annoying.

There are OTP authentication mechanisms available for SSH.  And an OTP
authenticated telnet session isn't going to be encrypted, so you still
run the risk of having your keystrokes sniffed.

        -- Jason R. Thorpe <>