[Info-vax] OpenVMS V9.0-C Released July 29th

[Phillip Helbig undress to reply]

In article <rgap56$e2s$2 at dont-email.me>, Simon Clubley
<clubley at remove_me.eisner.decus.org-Earth.UFP> writes: 

> On 2020-08-03, Phillip Helbig (undress to reply) <helbig at asclothestro.multivax.de> wrote:
> >
> > (and a DECnet proxy is no worse than having an 
> > SSH key in place).
> >
> 
> Huh ???
> 
> SSH keys are an excellent example of a shared secret - you need to
> steal the shared secret before you can even think of impersonating
> a person/node.
> 
> DECnet proxies OTOH are an absolute joke in today's world and may
> even be worse then sending the password in the clear. This is because
> there are no shared secrets between DECnet nodes.
> 
> As such, there is _no_ impersonation protection with DECnet proxies.
> All you need is the DECnet address of the node you wish to impersonate.
> 
> IOW, anyone can pretend to be an existing DECnet proxy node.

Yes, but that assumes that the bogus node is on the same network, which, 
today, is extremely improbable.  Back in the days when DECnet was 
routed, sure.

My point was that an SSH key is essentially equivalent to a password in 
clear text on the disk.  OK, it's longer so one can't remember it at a 
glance, but this is protection only against the glance-over-the-shoulder 
tactic, which is definitely NOT how most passwords are stolen these 
days.

Yes, the problem is that some sites store passwords in clear text.  
However, here the situation is that one has access to one system on the 
network and can thus access others---doesn't matter if the password is 
on the disk, there is a proxy, there is an SSH key, or whatever.