Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.cs.su.oz.au!metro!metro!munnari.OZ.AU!spool.mu.edu!newspump.sol.net!uwm.edu!news-peer.gsl.net!news.gsl.net!nntp.coast.net!news2.acs.oakland.edu!news.tacom.army.mil!news.webspan.net!usenet From: "Jordan K. Hubbard" <jkh@FreeBSD.org> Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: TCP Encryption Date: Sun, 29 Sep 1996 03:14:21 -0700 Organization: Walnut Creek CDROM Lines: 32 Message-ID: <324E4BFC.167EB0E7@FreeBSD.org> References: <Pine.BSF.3.91.960928164946.15233A-100000@darkstar> NNTP-Posting-Host: time.cdrom.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 3.0 (X11; I; FreeBSD 2.2-CURRENT i386) To: Charles Mott <cmott@srv.net> Charles Mott wrote: > A well known and worrisome aspect of two standard TCP applications, Telnet > and FTP, is that usernames and passwords are sent in the clear, as well as > ... > Rather than using a kerberos-like solution, which seems to me bulky and > difficult to set up, an automatic encryption system embedded in TCP option > header words seems a better long terms solution. When a TCP connection is I think that's adding protection at the wrong level. Consider: It's not the transport that needs to be secured, it's certain services that run on top (and only certain ones - I wouldn't want my USENET news encrypted, for example, as that'd just be a waste of CPU time on both ends). For secure logins, you need not (and should not) use telnet or ftp, you should use something like ssh, which provides point-to-point encryption. If you are unable to use ssh, then FreeBSD also has S/Key authentication for both telnet and ftp (see man page for keyinit(1)) - this allows you to set up a "one time pad" scheme, so people can sniff your passwords all they want and it won't do them any good - the only passwords they see are, by definition, already expired and useless. If, on the other hand, you *really* want to secure an entire pipe, then you can still do it with tunneling, implementing a "virtual private network" topology with full crypto between the various LANs. One of our core team members, Peter Wemm, did something like this with the tunneling device and ssh. Either way, it doesn't take hacking the TCP/IP stack to provide security, simply some setup work with already available tools. -- - Jordan Hubbard President, FreeBSD Project