I have found SSH to do more good than harm in our environment.. no more telnet, pop, imap, nntp, or other connections to personal ISP's which are so easily picked off. They all seem to be more than willing to let me set them up with SSH port forwarding and e-mail encryption, and I'm happy to almost never sniff passwords on our network any longer. Obviously this is relying on policy and a huge amount of trust that the users not abuse their SSH connections, but I am much more willing to trust that than I am that they won't ever use those accounts for moving confidential information. I am interested, however, in hearing whether this is just bad practice... it is a security challenge having a company full of highly technical and competent people expecting a high level of trust and functionality.
Jon Speer
Sr. Network Security Engineer
Tripwire, Inc.
