Way OT: SSH worries

John Rudd jrudd at UCSC.EDU
Tue Aug 17 22:02:21 IST 2004


William Burns wrote:
>
> Back to stunnel:
>
> Following the "do no harm" philosophy, I use telnet to access a program
> that puts an *additional* level of  security in front of sshd. While
> this additional layer is very weak, it provides no additional
> opportunities for buffer-overflow style exploits. stunnel (by
> comparison) *might* allow an attacker to break into my system without
> even having to contact sshd.
> While an attacker who could sniff my traffic could easily find out how I
> was turning on my ssh daemon, the attacker would not be able to use that
> same technique to exploit sshd.
>
> If you're already using https, and /or pop3s on your system,

or OpenSSH, which uses OpenSSL code.  Which was my point: Stunnel is in
the same risk category as OpenSSH (assuming you're using openssh, which
may have been an inappropraite assumption on my part).  Using Stunnel is
no more risky than using OpenSSH, AFAICT.

> you might
> not view the use of stunnel as an *additional* vulnerability, because
> you're *already* exposed to it, in which case, go for it.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).



More information about the MailScanner mailing list