Subject: Re: ssh - are you nuts?!?
To: None <>
From: Simon J. Gerraty <>
List: tech-security
Date: 12/17/2000 23:55:33
[original reply bounced for tech-security - typo]

>mailing list - 'tech'. Now, I've like to hear from 
>the NetBSD community, why they believe ssh is beter
>than say telnet. Or what advantages SSH has in general.

By telnet I presume you mean an encrypting telnet,
since in almost any environment these days encrypted login sessions
make sense - esp. for people with rootly powers.

Authentication is pointless without a means of ensuring the integrity of
the channel and encryption gives you that as a side effect.
So, with encryption as a given, why SSH and not say stelnet?

Standardization.  I'm speaking as one who over the years added encryption
to telnet in a couple of different ways - settling on SSL in the form
of stelnet.  Due to the (until very recent) export restrictions of the U.S.
everyone who wanted an encrypting telnet had to invent their own.

BTW I prefer the key management aspect of stelnet and its
friend SSLrsh takes it further in _only_ allowing authentication via 
X.509 certs.  Eg. with a one line authorization file in /etc, any user
who can present a cert acceptible to the server can login as the id (other
than root and other system accounts) identified in the cert.  This 
coupled with NIS passwd maps that only provide :x: in the passwd field, 
actually make it feasible to have secure logins with central and minimal

But guess what - I use SSH as much or more than the above.  
Why? Because everyone else does.  Because its "good enough"[TM] 
and offers features that *telnet and SSLrsh don't which I and most 
other users fine very handy.  I make use of its tunneling, compression
and single signon support (no I don't forward the authentication agent to 
sites I don't trust).

I don't like the fact that SSH offers so many authentication methods
and because of the reliance on data in the user's homedir, many of them 
are not safe in the presence of NFS mounted homes.  But SSHv1's key 
managment is pretty trivial, good enough for most folk and generally
gets the job done so that's what we all use.  SSHv2 probably would have 
taken over - but for the license.

Hope that answers your question.