Is ssh not safe?

[John Thompson]

Michael Sullivan wrote:

> I've been following the "Hack Attempts" thread and I've come to the
> conclusion that having my router route port 22 requests through to my
> server PC is not safe.  Here's my situation.  I use my server PC for web
> hosting and email.  Most of my users access their accounts from outside
> the router (my network is based in my apartment and my wife and I are
> the only ones who use it here.)  I don't users telnetting in because of
> the security risk (I don't quite understand this, but I've read about it
> in more than one place, so it's probably true), so I've enabled ssh so
> that they can log in and change their passwords if need be.  They upload
> their web pages through FTP, supplying their username and password. 

FTP suffers some of the same security concerns as telnet; e.g. usernames 
and passwords are transmitted as clear text, so anyone sniffing the 
connection could conceivably harvest these for their own purposes.  As 
long as you've got ssh up and running, why not have your users use sftp 
or scp to transfer their files?  These use the same end-to-end encrypted 
connection as the ssh session, so nothing is ever sent down the wire in 
unencrypted form.

An alternative might be to compile your ftp server with kerberos 
support, which would at least encrypt the authentication exchange.  But 
setting up a kerberos server is no mean feat, and simply using sftp/scp 
is likely to be much easier.

-- 

-John (john at os2.dhs.org)