[ On Thursday, May 5, 2005 at 05:09:23 (-0400), der Mouse wrote: ]
> Subject: Re: RE: VERY slow ssh logins to uVAX
>
> I trust my house LAN in the sense that I don't think there are any
> nefarious agents on it.  But by treating it as untrusted - such as by
> using ssh internally rather than rsh - I am, to some extent, ensuring
> that an attacker that cracks one machine won't be all through the
> network moments later.

I guess it depends on what you run on your local LAN.  In my case I
pretty much have to trust the whole LAN as much or more than I would
trust rsh (or plain old telnet for that matter) anyway.

I run un-protected NFS and X and other such similar things (and I almost
never originate even my SSH sessions outbound to the world from my
desktop workstation, but rather from my shell/homedir server in the
basement, with the xterm process running there too).  My home directory
is NFS exported, and except for a rare exception or two (such as my
firewall and my mail server), I use that NFS mount for my normal login
home on all other servers I use regularly so anyone capable of foiling
my NFS mounts could hack my homedir and thus quickly hack everything
else anyway.

In other words RSH provides more than adequate authentication service
for inter-host logins and such on my network where many other types of
critical local connections and traffic are not encrypted.

However I do now run all my traffic through a relatively stable (though
no doubt hackable) switch so a cracker with access to my LAN would still
have some trouble hijacking my connections without my nearly immediate
notice.

> > However if you do insist on trying to run SSH on slow hardware like a
> > uVAX then SSH-3.2.9.1 or similar is probably your best bet
> 
> I hadn't thought anything beyond version 2 had a spec yet even in the
> form of I-Ds.  What am I missing?

SSH-3.x is just the latest public release of software from ssh.com, and
it (fully?) implements the SSHv2 protocol.


> I have heard this said.  Despite asking on most of those occasions,
> nobody has been able to name specific attacks that are a danger.
> 
> The only attacks I know of against ssh1 are either implementation
> attacks against late implementations of it or social-engineering
> attacks such as the MitM attack on first connections.  Or, of course,
> attacks directly on the crypto itself, such as attempts to factor RSA
> moduli.  What am I missing?

That's not enough?  ;-)

I'm not sure if you include this one in your list:

    Zalewski, Michael, ``Remote Vulnerability in SSH Daemon crc32
    Compensation Attack Detector,'' RAZOR Bindview Advisory
    CAN-2001-0144, Feburary, 2001.

which is also discussed here:

	http://staff.washington.edu/dittrich/misc/ssh-analysis.txt

(though apparently more recent SSHv1 implementations offer features to
detect and report possible attacks against this flaw)

There are also some serious design flaws in SSHv1 from a user
perspective too, such as the total lack of even rudimentary flow control
management, which was serious enough for me to have switched entirely to
SSHv2 some time before there were any widespread attacks against any
SSHv1 implementation. 


-- 
						Greg A. Woods

H:+1 416 218-0098  W:+1 416 489-5852 x122  VE3TCP  RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com>          Secrets of the Weird <woods@weird.com>