On Sun, 22 Sep 2002, Iljitsch van Beijnum wrote:
On Sun, 22 Sep 2002, Richard A Steenbergen wrote:
On Sun, Sep 22, 2002 at 01:11:07PM +0200, Iljitsch van Beijnum wrote:
There are also people ssh'ing to personal and corporate machines from the terminal room where the root password is given out or easily available.
Are you saying people shouldn't SSH?
I've seen far too many people get into trouble because they have some flawed thinking that "ssh == always secure", even against compromises of one of the endpoints. If root is available, a reasonable person should ASSUME that some bored individual (like Bandy Rush) has taken 30 seconds and recompiled the ssh binaries with a password logger.
When we hosted nanog 16 we made the effort to periodically compare the md5 sums of the binaries on the terminal room machines to a reference source. I wouldn't personally place a greate deal of trust in machines that aren't in ones possession but we try.
Excellent point. Fortunately, this doesn't apply to running SSH from your laptop over the wireless network.
-- -------------------------------------------------------------------------- Joel Jaeggli Academic User Services joelja@darkwing.uoregon.edu -- PGP Key Fingerprint: 1DE9 8FCA 51FB 4195 B42A 9C32 A30D 121E -- In Dr. Johnson's famous dictionary patriotism is defined as the last resort of the scoundrel. With all due respect to an enlightened but inferior lexicographer I beg to submit that it is the first. -- Ambrose Bierce, "The Devil's Dictionary"