[ On Tuesday, February 9, 1999 at 10:21:46 (+0100), Peter Svensson wrote: ]
> Subject: Re: transfering files back along an existing connection
>
> On Mon, 8 Feb 1999, Greg A. Woods wrote:
>
> > You really *must* completely trust the client computer, even if only for
> > a limited duration of time. Period.
>
> This is not correct, as I have shown. Your claim depends on the assumption
> that "once authenticated the user is compleatly trusted".
look, you're not reading what I wrote.
Go read Phrack #51 (the piece about hiding trojans from tripwire using a
hidden LKM) and then tell me how I'm going to trust an un-trusted host.
That's the proof that it's not only technically possible but already
implemented. Off the top of my head I can think of hundreds of other
ways of compromising a host in such a way that the SSH client user
cannot tell that his connection is being used for covert purposes. In
real life there are probably thousands of compromises possible. Have
you never wondered why military security sometimes requires enclosing
the entire computing system and power supply in a Faraday Cage and
posting armed guards at the door?
> I'll reiterate: hardware tokens offer two modes of improved security. The
> most usable is that it limits the time you need to trust the client to the
> logoff moment. Not trusting the machine while logged on requires a much
> better protection in depth, but is still not impossible, only
> rather cumbersome to use.
I don't disagree (though I question the amount of "improvement" -- it's
all circumstantial).
However regardless of the authentication scheme you *MUST* still trust
the client host before and after the initial SSH connection is opened.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
