Re: improving ssh

2007-07-19 Thread Nicolas Williams
Doesn't this belong on the old SSHv2 WG's mailing list? On Sat, Jul 14, 2007 at 11:43:53AM -0700, Ed Gerck wrote: SSH (OpenSSH) is routinely used in secure access for remote server maintenance. However, as I see it, SSH has a number of security issues that have not been addressed (as far I

Re: improving ssh

2007-07-19 Thread Stanislaw Klekot
On Sat, Jul 14, 2007 at 11:43:53AM -0700, Ed Gerck wrote: SSH (OpenSSH) is routinely used in secure access for remote server maintenance. However, as I see it, SSH has a number of security issues that have not been addressed (as far I know), which create unnecessary vulnerabilities. Some

Re: improving ssh

2007-07-19 Thread Taral
On 7/14/07, Ed Gerck [EMAIL PROTECTED] wrote: 1. firewall port-knocking to block scanning and attacks I would love to see a mode like freenet's silent bob, where connectors must prove probable knowledge of the host key before the node will talk. 5. block sending host key fingerprint for

Re: improving ssh

2007-07-19 Thread Ivan Krstić
On Jul 14, 2007, at 2:43 PM, Ed Gerck wrote: 1. firewall port-knocking to block scanning and attacks 2. firewall logging and IP disabling for repeated attacks (prevent DoS, block dictionary attacks) 3. pre- and post-filtering to prevent SSH from advertising itself and server OS 4. block empty

Re: improving ssh

2007-07-19 Thread Ed Gerck
Ivan Krstić wrote: On Jul 14, 2007, at 2:43 PM, Ed Gerck wrote: 1. firewall port-knocking to block scanning and attacks 2. firewall logging and IP disabling for repeated attacks (prevent DoS, block dictionary attacks) 3. pre- and post-filtering to prevent SSH from advertising itself and

Re: improving ssh

2007-07-19 Thread Jun-ichiro itojun Hagino
i'm an OpenBSD developer, so i have some knowlege but could be biased. SSH (OpenSSH) is routinely used in secure access for remote server maintenance. However, as I see it, SSH has a number of security issues that have not been addressed (as far I know), which create unnecessary

Re: improving ssh

2007-07-19 Thread Peter Gutmann
Ed Gerck [EMAIL PROTECTED] writes: Some issues could be minimized by turning off password authentication, which is not practical in many cases. That would probably make things much worse. A study of SSH attacks a few years ago showed that nearly two thirds of all SSH private keys were stored on

summary, Re: improving ssh

2007-07-19 Thread Ed Gerck
List, Thanks everyone for the feedback. There are now some ideas how things could be improved using crypto. I prepared a summary of the public and private responses, and clarifications, at: http://email-security.blogspot.com/2007_07_01_archive.html Comments are welcome in here (if crypto) an