[Gllug] SFTP Server

Wed Apr 9 12:49:39 UTC 2003

On Wed, Apr 09, 2003 at 01:04:34PM +0100, Doug Winter wrote:
> > Actually, in this case, SSH is still somewhat secure, no matter how
> > poorly managed and maintained it is. No amount of incompetence will
> > let you set it up so that it sends passwords in plain text over the
> > network, and that was the original motivation for developing it.
> 
> Personally I'd say that this doesn't increase security by much in the
> real world.  Yes, someone could be sniffing your network, but in reality
> they aren't.  Although it's a plausible risk, it's not a high one.

It might never happen to you but there's no reason to make life easier
if it does.  A few weeks ago I had to help out at a firm where a cracker
had strolled through the firewall and set up shop. He'd have found life
less easy, having got through, if the internal systems had been more
securely set up.

It's very little extra effort to set up ssh and to have internal servers
use ssl/tls (or ssh port forwarding), so why not do it?  Security is
about creating a series of obstacles, not relying on one "invincible"
firewall.

It's not ssh that needs to justify its existence, it's telnet.  There is
simply no need for usernames and passwords to be passing unprotected
about your network.  Why make it easier to crack than it need be?

-- 
Bruce

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug