For me passing any administrative data in the clear is unacceptable
and is prohibited by my employer. Were I in your situation I would be
allowing ssh in/out to a specified internal host accessed by
administrative staff only.
-Rich
On Thu, 20 Apr 2000, David Lang wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> for the commercial firewalls I use the provided tool, for the other
> machines I use a one-time password to get through the firewall to them. It
> isn't perfect (data can be sniffed), but I take the position that if I am
> doing my job correctly it wouldn't matter if my root passwords were
> posted, noone could get to where they could use them.
>
> This is a decision I made based on my perception of the relative risks
> between
>
> 1. someone goes to the efort of getting the passwords and then finds an
> application bug that gets them on the machine where they can use them (in
> which case they may be getting on as root anyway)
>
> 2. inside people useing SSH to tunnel stuff through that I have no control
> over becouse "it's only for me and it's not really a risk anyway"
>
> David Lang
>
>
>
> On Thu, 20 Apr 2000, Mark E. Drummond
> wrote:
>
> > Date: Thu, 20 Apr 2000 15:38:06 -0400
> > From: Mark E. Drummond <[EMAIL PROTECTED]>
> > To: David Lang <[EMAIL PROTECTED]>
> > Cc: Firewalls <[EMAIL PROTECTED]>
> > Subject: Re: ssh defeats the firewall
> >
> > David Lang wrote:
> > >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > >
> > > This is exactly the reason why I do not allow SSH through the firewalls I
> > > manage.
> >
> > So do you do remote management of your UNIX boxen? If so, what do you
> > use?
> >
> > --
> > Mark Drummond|ICQ#19153754|mailto:[EMAIL PROTECTED]
> > UNIX System Administrator|Royal Military College of Canada
> > The Kingston Linux Users Group|http://signals.rmc.ca/klug/
> > Saving the World ... One CPU at a Time
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.2
>
> iQEVAwUBOP9NJz7msCGEppcbAQE6iggAnEi5Hy5vSNe85OvQVdpVA8yuXYBASINr
> Jkd6OzMjLFg1wGmeRq/Mn3nxluOV6b1bvcSPRUKK1tWa4T0KF5vfFMT0G8gR4sW0
> NitqUmGKUw7RusdYghI1ZZjNgly7DuqiUfksGkj9dTFWqO8+A57eMUvHnqZN6afm
> gGaLOOYlUWG2roWELLDZ2QTs8e31ZuwBah5OnndoCRszDiRK8+1JRj0jDhSPann5
> rdTbt2j0K32rkK95nIogasO/keI1feK0mSPL/8rK30whWuH9fPO976rW48k2tfKv
> pGEQbky62Gc4jJkhAxb/U8ZKJDiO7aBAjZE33bI/o8/c0lMLidND3g==
> =uSjE
> -----END PGP SIGNATURE-----
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
--
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
