You are seeing the point I was making (Thank you Harley). Yes SSH has to be installed on each machine. Whats more it looks like Perl may need to be used and installed, keys added for each machine (110 in total !!!) About 30+ scripts re-written.
Andre sent stuff on Expect which would solve the RSA problem but then I would have a user id and password in a script. I could protect that file to the user only I suppose. (Many thanks Andre) I am looking at the stunnel option as part of the report/proposal, so the least we can get them to do is the encryption. Sniffing is definetly a threat here and I acknowledge fully that a switch networks is not a protection against it. Note this from the ettercap site "SSH1 support : you can sniff User and Pass, and even the data of an SSH1 connection. ettercap is the first software capable to sniff an SSH connection in FULL-DUPLEX" The site also claims they can convience the server to switch to ssh1 if ssh2 is in place. Therefore the RSA is a good idea?!?! The latest version and configure it to only ssh2 is not really an option as the latest version is not available for all the machine and OS in use. The argument coming back to me then is even with the ssh and all the work involved (months at least because of their other commitments) they are not really that better off. Is it worth it. That is what is coming back to me. You see now why I posted the message??. It comes back to an earlier post of how do you implement a policy if management say no need for it??? I know they need to go the more secure route but how do I fully convience them. Yes I know a lot of you will say risk assemment and costing etc, I went down the CISSP route too and am actually waiting for results (nerves are shot to pieces). But the customer unfortunately has not read through all the domains of CISSP and doesn't really see the end benefit. Rock and Hard place springs to mind. Thanks again to all on thread. Trevor Cushen Sysnet Ltd www.sysnet.ie Tel: +353 1 2983000 Fax: +353 1 2960499 -----Original Message----- From: harley mcdonald [mailto:[EMAIL PROTECTED]] Sent: 09 October 2002 17:40 To: Trevor Cushen Cc: [EMAIL PROTECTED] Subject: RE: Is SSH worth it?? trevor, are there no hubs in this entire network? but that doesn't matter too much as switches are generally easy to circumvent. the amount of people who have passwd access is immaterial, however, do you trust your users who don't have these passwds? i should imagine you do not, otherwise, why password protect any network traffic? just let everyone get what they need. is your data that sensitive / critical or are you just worried about the _extra work_ involved fully restoring a seriously compromised machine? but i see your point. how do you go about running public key authentication on a hundred machines fairly easily? i'm not sure. i suppose you could set it all up first with rsh and then disable rsh. or you could do it with ssh for one user ( root --for the priveleges ) and then from there, run a script to do the rest of the users. root access might cause problems here... not too mention all the code changes you'll have to make. and you sound like you may have to install ssh itself on each machine as well. i'm glad i'm not you ;) so i guess, the added effort is the price you pay for the extra protection. is it worth it for you and your company? h .. > -----Original Message----- > From: Trevor Cushen [mailto:[EMAIL PROTECTED]] > Sent: Monday, October 07, 2002 10:03 AM > To: [EMAIL PROTECTED] > Subject: Is SSH worth it?? > > > Hello all, > > Quick opinion based question. I have an switched > internal network that > currently uses a lot of rcp with rsh authentication > to moves files > about. Platforms are unix and nt (ftp on the nt > side) > > More secure is ssh and scp for all platforms, but I > have several scripts > that would all have to be re-written and a fair bit > of setting up for > all the clients and servers involved throughout the organisation. > > The questions is this; > > On an internal network that is switched (making > sniffing harder) is it > worth going to SSH and SCP?????? > > I am aware how to set it all up but the thing is, is > it worth it. Bare > in mind also that few people have passwords to the > boxes and the only > real threat is sniffing the traffic. > > All opinions welcome, > thanks > > Trevor Cushen > Sysnet Ltd > > www.sysnet.ie > Tel: +353 1 2983000 > Fax: +353 1 2960499 __________________________________________________ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com ****************************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this message in error please notify SYSNET Ltd., at telephone no: +353-1-2983000 or [EMAIL PROTECTED] ******************************************************************************
