On December 21, 2003 03:50 am, you wrote:

...

Also encryption doesn't stop people from being dumb. For example allowing password based authentication with sshd leaves a rather weak link in the chain (depending on users to use good passwords), IWO if you use strong encryption with weak authentication you might as well not bother.

but the password is encrypted in transfer right? maybe i'm wrong about this, but doesn't ssh use asymetric encryption initially, then symetric after the session key is established?

Yes, your username and password are encrypted in transit. My point was that if you allow password authentication and your root password is g0d, all the encryption in the world cannot protect you. Better to make the authentication barrier a lot higher ... require key based authentication, ensure that all private keys are passphrase protected, don't allow root login unless it's essential, restrict access to ssh by ip if it doesn't cause too much heartache, etc. Another example would be with VPNs. Let's say Justin Inc. installed a VPN, employees gotta have access from home after all! Now your poor employees can't handle installing X.509 certificates, it's too much work for you to manage them and ahh who cares it's all encrypted anyway. So in the interest of keeping things simple you setup pre-shared key authentication with a pre-shared key of "justin's vpn" ... you've now created a solution where the data is secure in transit but very insecure in other ways. Authentication barrier is low, guesswork can potentially lead an attacker to full vpn access to your network. Secure webservers are another example. image a "secure" webserver that allows telnet access from all over the Internet, that stores credit cards in an unencrypted form in a database, etc. Sure the data in transit is tough to get at but the data at rest is easy pickings. Anyway, now I'm rambling about stuff that likely had nothing to do with your original question, time to go fishing :-) -- Fraser Campbell <fraser-Txk5XLRqZ6CsTnJN9+BGXg at public.gmane.org> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- The Toronto Linux Users Group. Meetings: http://tlug.ss.org TLUG requests: Linux topics, No HTML, wrap text below 80 columns How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml