Subject: Re: RE: VERY slow ssh logins to uVAX
To: None <port-vax@NetBSD.ORG>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: port-vax
Date: 05/05/2005 05:09:23
>> I don't know where you got the idea I was talking about trusted
>> LANs. Perhaps you think all "single-user house LAN"s are trusted?
> Well, what I do know is that if you cannot trust a wired LAN in a
> private (i.e. non-public) location where there's only one user using
> it, then you've got much more serious problems than SSH alone can
> ever solve. :-)
True as far as it goes, I suppose.
I trust my house LAN in the sense that I don't think there are any
nefarious agents on it. But by treating it as untrusted - such as by
using ssh internally rather than rsh - I am, to some extent, ensuring
that an attacker that cracks one machine won't be all through the
network moments later.
Yes, against an adversary of sufficient skill and preparedness, such a
measure is worthless. But even if I am cracked, I *probably* will not
be up against "an adversary of sufficient skill and preparedness", and
every bit of bar-raising helps.
Besides, it gets me in the habit of using ssh for everything, which
means that when I do have occasion to use relatively untrusted networks
(such as roaming with my laptop), I am at least somewhat secure.
> However if you do insist on trying to run SSH on slow hardware like a
> uVAX then SSH-3.2.9.1 or similar is probably your best bet
I hadn't thought anything beyond version 2 had a spec yet even in the
form of I-Ds. What am I missing?
> (I would strongly recommend avoiding SSHv1, the protocol, for the
> same reasons one might want to use SSH in the first place).
I have heard this said. Despite asking on most of those occasions,
nobody has been able to name specific attacks that are a danger.
The only attacks I know of against ssh1 are either implementation
attacks against late implementations of it or social-engineering
attacks such as the MitM attack on first connections. Or, of course,
attacks directly on the crypto itself, such as attempts to factor RSA
moduli. What am I missing?
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse@rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B