On Thu, Jan 27, 2000 at 09:40:35AM -0500, Brandon Palmer wrote:
> > Ultimately I wonder how much of a future S/Key has now that SSH and
> > similar utilities are widely deployed and provide much more
> > sophisticated protections, especially session encryption.
>
> I think there is definatly still a need. There are many cases in which I
> am not on a machine what has ssh (ie some public telnet shell). Though
> the session is not encrypted, my password is still safe. Until ssh-java
> shells are common, s/key still has it's place.
This indicates a rather common misconception. SSH-Java shells should
NOT make a public terminal trusted for your password; the TERMINAL is
insecure, and is rather likely to be running a keystroke logger. SSH
only makes the connection from the box it runs on to the box in the
other end secure.
Eivind.
