Summary: Uncrypted passwords in the network.

From: Vitaly Beliaev (vit@mmk.ru)
Date: Fri Aug 22 1997 - 03:53:19 CDT


Greetings, managers!

Thank you, thank you very much! Thanks a lot to all people who responded so
quickly to my message:

Roy Culley <tgdcuro1@gd2.swissptt.ch>
Mark Heath <mheath@netspace.net.au>
David Thorburn-Gundlach <dtg@cae091.ed.ray.com>
Martin Las <las@nic.utc.sk>
Matthew Stier <Matthew.Stier@tddny.fujitsu.com>
Rich Snyder <rsnyder@eos.hitc.com>
Alex Lattanzi <alattanzi@impsat1.com>
Troy Wollenslegel <troy@intranet.org>
Daniel Kluge <danielk@tibco.com>
Pascal Gaudette <pascal@viper.istar.ca>
Chris Smith <cesmith@netcom.com>
Kevin Sheehan <Kevin.Sheehan@uniq.com.au>
Chan Ling Ling <llchan@kdupg.edu.my>
William Gate$ <dosh@nym.alias.net>
Torsten Metzner <tom@math.uni-paderborn.de>
Tim Henrion <henriont@datrep.safb.af.mil>
Rodney C. Marable <marable@firefly.net>
Frank Rizzo <jm@inlink.com>
Mark Bergman <bergman@phri.nyu.edu>
Kamal Kantawala <kamal@mcc.com>
Mika Tuupola <tuupola@mehu.appelsiini.net>
Drexx Laggui <drexx@bancnet.net>

Now, here's a brief contents of my original request:

> I found that running 'snoop' directed to particular host and port
> will reveal any user's password. It pertains to login and telnet
> connections as well as ftp. I wonder is there some programms that can
> crypt passwords and send them over the network? I have heard about
> Kerberos system but I'm not deeply aware of it.
> I would be very grateful for any of your help regarding different
> ways of protecting passwords and "crypting" ftp, telnet and login
> sessions. Thanks in advance for your attention!

I have received a good deal of replies. Practically all of them adviced
using Secure Shell (ssh) that is capable to encrypt TCP connections.

Special thanks I would like to express to Daniel Kluge and William
Gate$ for their detailed explanation and useful pointers.

You may visit the following WWW sites to get additional information about
ssh, network security software, secure protocols and other useful info:

http://www.cs.hut.fi/ssh
http://www.datefellows.com/f-secure/fnetsys.htm (adviced by Rich Snyder)
http://wwwfg.rz.uni-karlsruhe.de/~ig25/ssh-faq/ (adviced by Alex Lattanzi)
http://www.datafellows.com (adviced by Frank Rizzo)
http://www.skip.org/skip1.1.1/index.html (adviced by Drexx Laggui)

Here are some noticeable excerpts from the messages I received:

From: Martin Las <las@nic.utc.sk>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    It's necessary to use kerberos server ( but you can't buy it )
    and tcp apps with kerberos support ( try www.inseko.sk or direct
    www.wrq.com - Reflection software company/X,telnet,ftp, ...under PC+M$ )

From: Daniel Kluge <danielk@tibco.com>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    There are different systems for encrypting authentification data
    (username/pw), depending on different needs.

    Kerberos: A whole security-system, it can encrypt, authentificate almost
    every service, but needs LOTS of resources for administration, I don't
    know, if there is a secure kerberos implementation outside the US.

    s/keys: replacement for login, uses one-time passwords, kinda usefull,
    but does only secure the login, not your network session.

    OPIE: 'One-time passwords in everything' s/keys for every server, ftp and
    the like, see above

    ssh: secure shell, plug-in replacement for rcp, rsh, rlogin, uses strong
    krypto for authentification, and is able to encrypt the whole sesssion.
    See http://www.cs.hut.fi/ssh/

    SSL: Secure socket layer, a protocol for encrypted connection proposed by
    Netscape, there is a free implementation called 'SLeay', I'm not shure
    which clients (telnet, ftp, smtp) exist.

    You may also take a look at
    http://www.securezone.com/Software/Crypto/Encryption/ for a good overview.

William Gate$ <dosh@nym.alias.net>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Kerberos is one scheme. It is quite good, but has minor problems.
    It'd certainly far better than exposing plaintext passwords.
    You want one host dedicated as a server, without user access.

    There are also on-time password schemes (such as S/Key).
    These may not do everything you want.

    Probably ssh is the thing you want to look at most.
    It is not supposed to be run on systems where you share home
    directories with NFS. AFS can be combined with Kerberos.

    There should eventually be proper IP encryption.
    I heard someone recently speak on his plans for this,
    but he's looking for a developer familiar with kernel
    network programming.

From: Torsten Metzner <tom@math.uni-paderborn.de>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    take a look at the SRA package and at ssh. Use archie to find it.

>From Mark Bergman bergman@phri.nyu.edu
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Look into ssh (requires client side-software) for encrypting the
    entire TCP/IP transaction.

    Check out S/KEY (from thumper.bellcore.com). It's a free, one-time
    password system. The TCP/IP session remains unencrypted, but the
    password (if snooped) cannot be re-used. There are free password
    generators available for Unix, Macs, PCs, Windows.

From: Drexx Laggui <drexx@bancnet.net>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Why don't you try SKIP for Solaris? It'll encrypt all your packets in
    the network. See it from www.skip.org/skip1.1.1/index.html

Summary posted by Vitaly Beliaev: Aug 22, 1997.

-==================================================================-
 Vitaly Belyaev: Unix system administrator, JVSC MMK, RUSSIA
 e-mail: vit@mmk.ru voice: +7 (3511)-333824
 Before you judge someone, stop and remember, we all see the same sun.
                                                       Mr. President
-==================================================================-



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:01 CDT