[Gllug] SFTP Server

Doug Winter doug at pigeonhold.com
Wed Apr 9 12:04:34 UTC 2003


On Wed 09 Apr Tethys wrote:
> Doug Winter writes:
> 
> >> The "Secure" in "Secure Shell" really means "probably secure if it's=20
> >> managed, used and maintained correctly".
> >
> >Like every other use of the word "Secure" :)
> 
> Actually, in this case, SSH is still somewhat secure, no matter how
> poorly managed and maintained it is. No amount of incompetence will
> let you set it up so that it sends passwords in plain text over the
> network, and that was the original motivation for developing it.

Personally I'd say that this doesn't increase security by much in the
real world.  Yes, someone could be sniffing your network, but in reality
they aren't.  Although it's a plausible risk, it's not a high one.

> Of course it's not really "secure" in the sense that it's still
> possible to configure it poorly which can give access to those you
> may not have intended to let in. You can set up password/phrase-less
> authentication, for example, and even remote root login using rhost
> authentication, and like most other authentication systems, it's
> vulnerable to social engineering, etc.

Stupid admins are the real risk, and I wouldn't be surprised if there
were machines out there with remote root login using rhost
authentication :)

doug.

-- 
1024D/6973E2CF print 2C95 66AD 1596 37D2 41FC  609F 76C0 A4EC 6973 E2CF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20030409/8a4fb85e/attachment.pgp>


More information about the GLLUG mailing list