On Fri, Dec 09, 2005 at 09:19:29AM +0800, John Summerfield wrote:
Randall R Schulz wrote:
John,
On Thursday 08 December 2005 16:39, John Summerfield wrote:
...
I use ssh rather than telnet, rsh, rexec etc because it's more convenient. Mostly, I control the wire or go through a vpn I control. That depends, I guess, on how you define convenience. I know of nothing about configuring or using SSH-based services that is more convenient than using plain old (non-secure) telnet. (Even if SSH-based services are taken out of the picture entirely, I still have to type several passwords many times each day, so keyed access isn't going to make my life much more convenient.) Using ssh, I can arrange for secure passwordless authentication. That's a greate convenience I could never achieve with telnet, though I did sort of fudge it with an expect script.
I'm surprised so many very security-conscious people think that passwordless is such a good thing. Now you've made physical access to your computer all that is required to gain access to all the other hosts for which you've set up passwordless access. What's more, from the perspective of the administrators of those systems, it's you who has accessed their resources and you'll get the blame, at least initially, for any malicious actions.
Physical acces involves electronic security (locks and monitored alarms), mechanical keylocks and having your photo taken while on the job. Once you have physical access, passwords are moot.
Oh man the number of Hospitals I've been able to walk around in through their IT staff saying I'm a consultant or something. Quite easy to defeat all of that. I mean what are you going to do take out the floppy drive? And the CD drive? LOL ANything yo can do can be taken apart or picked.
Or detailed knowledge. Our data has little commercial value; if you want a site to cause mahem to the internet, there are easier pickings. Half a dozen unsecured wireless APs where I live for starters.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here