Don't use SSH



  • I work at one of those "Big League" shops where the IT department rules the land and we programmers are lowly peasants forced to succumb to their will.

    One day our network administrator noticed that port 22 was open on a box we were using for testing.  This was obviously an attempt to hack our systems because only port 23 was open on all the servers he had setup.  He decided to sniff the traffic and try to figure out what was going on.  After he realized that he couldn't read the captured packets he came storming down demanding we shutdown that machine because it had been compromised and someone was sending encrypted traffic from that machine.  After we explained to him that SSH was a secure replacement for telnet, he asked us not to use it because he couldn't sniff the traffic.



  • And from now on, be sure to store all your passwords in plain text. That way he can read them in Notepad.

    And he probably has his doubts about image compression, as well...



  • Please tell me that you made up this story. Otherwise, I'll hardly find sleep tonight (or any night for the next two weeks).



  • I wish I had made this up.  This guy really exists, and there really is an organization that gave him the title "Network Engineer".  I have more stories about him, stay tuned.



  • Well, I guess "Network Engineer" means that he is educated in how to pull cables through the duct and plug them into those boxes with many flickering LEDs.



  • @roto said:

    I work at one of those "Big League" shops where the IT department rules the land and we programmers are lowly peasants forced to succumb to their will.

    One day our network administrator noticed that port 22 was open on a box we were using for testing.  This was obviously an attempt to hack our systems because only port 23 was open on all the servers he had setup.  He decided to sniff the traffic and try to figure out what was going on.  After he realized that he couldn't read the captured packets he came storming down demanding we shutdown that machine because it had been compromised and someone was sending encrypted traffic from that machine.  After we explained to him that SSH was a secure replacement for telnet, he asked us not to use it because he couldn't sniff the traffic.


    Oh this brings back memories .... BAD ones!

    I happen to know of a certain head technician in certain department in a certain university who to this day insists on logging into his servers as root via telnet despite being told and shown years ago that it is not secure. Said technician has also not yet replaced his old HUBS (not switches, hubs, I kid you not) right at the core of his network so as he sends his root passwords over the wire in plain text anyone in the department can do a verbose TCP dump and read off the root passwords to the servers.



  • @R.Flowers said:


    And he probably has his doubts about image compression, as well...

    You can't compress images... that'd be like, impossible!
    I mean, that'd be like, compressing several files into one file.



  • @cj5 said:

    @R.Flowers said:


    And he probably has his doubts about image compression, as well...

    You can't compress images... that'd be like, impossible!
    I mean, that'd be like, compressing several files into one file.



    Interesting. What are your views on video compression, then?


  • @roto said:

    This guy really exists, and there really is an organization that gave him the title "Network Engineer".


    The lesson here is that a 'network engineer' does not have anything to do with computers. The network engineers handle cabling, telecoms, and related network infrastructure. The closest they come to accessing a computer system is IOS. They have absolutely no business deciding what to run on servers. Their job ends at the physical layer, because they have no education or experience with anything higher.

    You have network engineers so that the people who know what they're doing don't have to waste time crawling under floors and pulling cable.

    Letting them meddle with the servers is like letting the cleaners meddle with the networking. It's dumb.



  • @kuroshin said:

    @cj5 said:

    @R.Flowers said:


    And he probably has his doubts about image compression, as well...

    You can't compress images... that'd be like, impossible!
    I mean, that'd be like, compressing several files into one file.



    Interesting. What are your views on video compression, then?


    That doesn't work either.

    When I tried to compress a video I borrowed from a friend, to be able to put it into my bag, it fell into small pieces. It just broke! Nothing to do but to put it into the bin.


  • @dande said:

    @kuroshin said:

    Interesting. What are your views on video compression, then?


    That doesn't work either.

    When I tried to compress a video I borrowed from a friend, to be able to put it into my bag, it fell into small pieces. It just broke! Nothing to do but to put it into the bin.


    That's why they say video compression is not lossless.



  • I'm sure there's something that lets you encrypt your login details but then sends everything else in cleartext. Not sure what it is though, but I'm sure there's something that lets you do that.

    Of course that only works until you need to use su(do)...



  • @m0ffx said:

    I'm sure there's something that lets you encrypt your login details but then sends everything else in cleartext. Not sure what it is though, but I'm sure there's something that lets you do that.

    Of course that only works until you need to use su(do)...


    I doubt it very much. WHY would you do that? It makes no sense. After doing all the donkey work for an encrypted handshake why tear your excrypted chanel down at that stage, you've done most of the work, you may as well continue to reap the rewards!

    I spend my life on servers and everything I've seen is either cleartext all the way or encrypted all the way.



  • I was at a conference for HP-UX admins in 1999, and I decided to go to the security presentation.  The presenter first talked about fire walls and asked "how many of you use a firewall"? Everyone but me and another young guy raised their hands. Nasty looks from 200 old guys - hurray. 15 minutes later the presenter started talking about telnet vs SSH.  One guess who were the only two that had heard of SSH, let alone replaced telnet with it.

    Not knowing about SSH is a whole different matter in 2006 than it was in 1999 though.



  • @m0ffx said:

    I'm sure there's something that lets you encrypt your login details but then sends everything else in cleartext. Not sure what it is though, but I'm sure there's something that lets you do that.

    Of course that only works until you need to use su(do)...


    Keberized telnet is the closest thing I know of to this.  SSH does have a significant overhead over telnet,  so you might encounter it on machines offering shell access to many users.

    I have seen kerberized ftp used with mass store systems, where you may have  a PB or more of storage and transfers of a TB of more.



  • @voyager said:


    I happen to know of a certain head technician in certain department in a certain university who to this day insists on logging into his servers as root via telnet despite being told and shown years ago that it is not secure. Said technician has also not yet replaced his old HUBS (not switches, hubs, I kid you not) right at the core of his network so as he sends his root passwords over the wire in plain text anyone in the department can do a verbose TCP dump and read off the root passwords to the servers.
    Haha, somebody did that same thing (telnet to a root account) on the wireless at defcon this year.  I'm trying to imagine a worse place to do it but coming up blank.



  • @voyager said:

    @m0ffx said:
    I'm sure there's something that lets you encrypt your login details but then sends everything else in cleartext. Not sure what it is though, but I'm sure there's something that lets you do that.

    Of course that only works until you need to use su(do)...


    I doubt it very much. WHY would you do that? It makes no sense. After doing all the donkey work for an encrypted handshake why tear your excrypted chanel down at that stage, you've done most of the work, you may as well continue to reap the rewards!

    I spend my life on servers and everything I've seen is either cleartext all the way or encrypted all the way.


    Well...you only really NEED the encryption at login, from a security POV. Of course privacy is another matter. The more traffic you send encrypted (with the same key), the easier it is to break, a matter to consider given legal limits on encryption strength in some jurisdictions. And I can think of a great many reasons why a network admin would want any traffic that isn't a potential security risk to not be encrypted. Those SSH connections could be forwarding web connections to sites that employees aren't supposed to access at work, for example.



  • @roto said:

    I work at one of those "Big League" shops where the IT department rules the land and we programmers are lowly peasants forced to succumb to their will.

    One day our network administrator noticed that port 22 was open on a box we were using for testing.  This was obviously an attempt to hack our systems because only port 23 was open on all the servers he had setup.  He decided to sniff the traffic and try to figure out what was going on.  After he realized that he couldn't read the captured packets he came storming down demanding we shutdown that machine because it had been compromised and someone was sending encrypted traffic from that machine.  After we explained to him that SSH was a secure replacement for telnet, he asked us not to use it because he couldn't sniff the traffic.


    Sounds just like my org. Except that these folks are too lazy to even monitor the network. All these chums just sit and watch out for any suspiscious URLs reported by a retarded firewall (it's mentioned in one of the submissions here).
    The latest addition to their blocked list - "asp"
    Anything that has "asp" in the URL will get blocked.
    Oh, that thankfully doesnt include pages terminating with asp and aspx.



  • Privacy is a security service, and having the whole session be encrypted also makes it hard for an untrusted third party to impersonate a side of the conversation.

    Consider an unencrypted telnet session that was established with secure authentication.  What stops a third party from injecting 'rm -rf /' into the session?



  • Was putty around in 1999?  Before PuTTY there wasn't any good windows SSH client besides SecureCRT.



  • [quote user="Alexis de Torquemada"][quote user="dave"]ssh can do that. ssh makes an encrypted tunnel (using symmetric encryption), authenticates, then changes to asymmetric encryption to do the rest.[/quote] It's exactly vice versa. Handshake using asymmetric cryptography, then encryption using a symmetric algorithm and a randomly generated session key.[/quote]

    That's what I meant - I always get those two the wrong way around - just call it early senility.

    [quote user="Alexis de Torquemada"][quote user="dave"] You can switch this to not encrypt. The advantage is speed, as you only need to encrypt on connection. If you're transferring gigabyte files around this is much more preferable.[/quote] But only if the file is already protected via some other means or its contents are not sensitive to either sniffing or data injection. If anyone is willing to do this, both the server and the client have to be configured to permit the NULL cipher, the default is (unsurprisingly) to prohibit use of the NULL cipher. (Also called eNULL where e stands for encryption, to distinguish from aNULL which applies to authentication.)[/quote]

    Depends where you are - if you're on the internal LAN, then encryption of data flow generally tends to be one of those things that isn't essential, but encryption of credentials is more important (or just use keys to get round it).

    Strangely enough, when we tested using different cyphers - blowfish beat the pants off even an unencrypted connection!



  • [quote user="coryking"]Was putty around in 1999?  Before PuTTY there wasn't any good windows SSH client besides SecureCRT.[/quote]

    Feh, in 1999 Windows boxen were only used for email and word processing. Unix workstations were used to do all that Unix admin stuff, the Windows boxen weren't stable enough to actually do any real work on...

    I remember the bad old days (around 1994) when my Windows box was a 286, running Windows 3.11. One had no choice but to use the Unix workstation.

    (I used mine all the way up 'til I stop being a Unix admin in around 2002, and then somebody else nicked it.)


Log in to reply