CERN Computer Security Information

SSH (Secure SHell) at CERN

Applications such as telnet, ftp, and X windows, expose all session data, including passwords, in clear on the network. Indeed, attackers routinely watch ("sniff") network traffic in order to gather clear-text passwords from legitimate users, e.g. connecting to or from a CERN computer. Once a password has been sniffed, the attacker might misuse it for any malicious activity, e.g. misusing the user's account to attack other computers, both inside and outside CERN.

In order to prevent attackers from obtaining such clear-text passwords, encryption must be used. Applications, such as SSH, allow for such an encryption. SSH is a network protocol and tool suite to transparently encrypt network traffic. It is designed to replace telnet, ftp and the BSD r-commands (rsh, rlogin, rexec, rcp), all of which transmit passwords as clear text and are vulnerable to connection hijacking. It offers secure port forwarding and can therefore be used to encrypt other network traffic (e.g. X11) as well. General information on SSH at CERN can be found here...

Using SSH securely

  • SSH is only secure when used end to end, i.e. directly from one trusted computer to a trusted server. You are advised to install and use SSH on your local system. (Note that using telnet or X11 to connect to a remote SSH client computer will still expose passwords in clear-text, as these applications do not encrypt.)

  • Passwords must still be regularly changed: An already-stolen password will continue to work over SSH, and although the encryption mechanism is generally assumed to be secure, passwords may still be discovered. Password advice is available here.

More Information on...