I do not get ssh. Why is it more secure?
in [General Linux]
|
Prev: I do not get ssh. Why is it more secure?
Next: Tar to another computer follow up: The semaphore timeout periodhas expired
From: Sam on 17 Jun 2010 06:05 Todd writes: > Hi All, > > With this command: > > ssh -l todd -X 192.168.255.14 /usr/bin/VirtualBox > > I can run VirtualBox console on another computer with X11. > All I get is asked for my password. > > I don't get it. How is this any more secure that plain > old telnet? Run tcpdump on another machine on the same network. Pretend that you're somebody else. Keep watching while your password is captured, in the clear, by tcpdump. Repeat the same experiment, this time with ssh. Good luck figuring out what the password is. > Both are just a user name and password. > You could hack it the same old way other services > are hacked by running the dictionary at them. I > do believe OPH Crack over on the Windows side calls > this "Rainbow tables". As the next step, generate an ssh keypair on the client, put the public key in authorized_keys2 on the server, and set "PasswordAuthentication no" in /etc/ssh/sshd_config on the server. Good luck cracking the nonexistent password, no. > I ask this because I will be needing to open SSH (port 22) > for a vendor to get in on. And, well, I just don't get > the advantage of ssh over anything else. Tell the vendor to send you their public key. Install their public key in authorized_keys2. Don't use password authentication.
From: The Natural Philosopher on 17 Jun 2010 06:35 Sam wrote: > Todd writes: > >> Hi All, >> >> With this command: >> >> ssh -l todd -X 192.168.255.14 /usr/bin/VirtualBox >> >> I can run VirtualBox console on another computer with X11. >> All I get is asked for my password. >> >> I don't get it. How is this any more secure that plain >> old telnet? > > Run tcpdump on another machine on the same network. Pretend that you're > somebody else. Keep watching while your password is captured, in the > clear, by tcpdump. > Assuming you are not using a switched cabled network of course. In fact packet snooping only works if: - its a repeated network, like WiFi, and that is running unencrypted data. - someone relatively evil and smart has compromised a router between you and the target (and even then its tricky, because you may, on a long link, only get one side of a conversation) - someone has compromised the target machine. In short, the days when you could get something useful out of tcpdump are long gone. But habits and myths die hard.
From: Pascal Hambourg on 17 Jun 2010 13:27 The Natural Philosopher a �crit : > Sam wrote: >> Run tcpdump on another machine on the same network. Pretend that you're >> somebody else. Keep watching while your password is captured, in the >> clear, by tcpdump. > > Assuming you are not using a switched cabled network of course. Snooping traffic on a switched network can be quite easy.
From: The Natural Philosopher on 17 Jun 2010 18:30 Pascal Hambourg wrote: > The Natural Philosopher a écrit : >> Sam wrote: >>> Run tcpdump on another machine on the same network. Pretend that you're >>> somebody else. Keep watching while your password is captured, in the >>> clear, by tcpdump. >> Assuming you are not using a switched cabled network of course. > > Snooping traffic on a switched network can be quite easy. How?
From: Chris Davies on 17 Jun 2010 18:26
Sam wrote: > Run tcpdump on another machine on the same network. Pretend that you're > somebody else. Keep watching while your password is captured, in the > clear, by tcpdump. The Natural Philosopher <tnp(a)invalid.invalid> wrote: > Assuming you are not using a switched cabled network of course. Er, no. Using freely available software I've successfully demonstrated this as a fallacy on a switched cabled IP network, and sniffed traffic between two /other/ machines. Without switch port monitoring. > In short, the days when you could get something useful out of tcpdump > are long gone. I would beg to differ. Chris |