This is not a security mailing list. Check your nearest security archive
or search the web for more specific URL. (Hint: there's a lot of
things you can do without getting a single bit in response;
"echo + + > ~/.rhosts" is the easiest one).
>
> Another more important point: does your server use easy to guess
> sequence numbers? If so, maintaining a spoofed session is much easier.
> Check with your UNIX vendor.
I assume all your equipment has the latest software from you vendors.
Are you filtering at your border routers? If yes, why? Guess
you are not quite sure about your vendor(s)...
> > Considering rather rare occasions this authentication is needed
> > it should not be a big deal.
>
> It is. Every application may not be rare.
And the Moon may fall on the Earth. Let's get real.
> No session encryption? I would prefer session encryption over
> authentication, because you could always authentication securely over a
> encrypted session, and you can run sessions over insecure networks too
> (which you can if only the authentication is encrypted).
Sure you do. Me, too. But wait, you just said it's quite cpu-intensive
task, so session encryption is impossible (at least without additional
hardware power). Now, what would you prefer - no session encryption
*and* no strong authentication, or strong athentication at least?
The answer is obvious - unless you are maximalist, "everything or
nothing". Hopefully there aren't many people of that type.
-- Igor V. Semenyuk Internet: iga@sovam.com SOVAM Teleport Phone: +7 095 258 4170 Moscow, Russia Fax: +7 095 258 4133