IPChains question (SOLVED)

John Chambers jc at trillian.mit.edu
Mon May 15 11:28:38 EDT 2000


Mike Bilow writes:
	 I would not want to say that anything is completely safe, but I would
	 expect that ssh is among the least likely services to be compromised in
	 this way.  Once the channel is opened, all of the data is handled using a
	 cryptographic exchange that would guarantee authentication.  Even if the
	 circuit could be intercepted, ssh would not allow a third party to conduct
	 a man-in-the-middle attack.  Also, ssh has some protection against an
	 attack being conducted during the negotiation of the inital exchange, if
	 the hosts have ever exchanged keys before.

I've wondered about this.  While using ssh for some time,  I've  read
the  man  pages and online docs with the requisite skeptical eye, and
haven't quite been convinced that it  actually  encrypts  everything.
Maybe  it does; maybe not.  And maybe it'd take digging into the code
to convince myself of whatever it does.  I do know that there  are  a
lot  of  things  in  TFM  page  that,  when  I  try them, behave very
differently than what I expect.  "~." for example.

Maybe this would be a good topic for a meeting.  ssh does seem like a
worthwhile  tool to get more familiar with, and considering what it's
used for, the more understanding the better.

One thing I've been wondering is whether ssh can help solve the usual
problems with the tcl/tk dependence on xauth for security. This often
leads to people recompiling libtk with security off, just so they can
get it to work locally. The xauth docs are notoriously opaque, and if
there were a way to substitute  ssh,  it  would  greatly  expand  the
usefulness  of wish scripts.  Since ssh already knows how to remote X
across its link this could make a lot of GUI tools more useful.

Maybe there are some ssh docs that I haven't discovered yet ...

-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).



More information about the Discuss mailing list