[NTLK] SSH client once again - sorry!
John Cochrane
johnc33.lists+newtontalk at googlemail.com
Fri May 21 06:30:50 EDT 2010
> MAC address filtering, while not perfect, might work well enough for you.
>
> <snip>
> And, as Tony responded a little while ago:
>
> "I guess it comes down to how much risk you're prepared to take with your home
> networking data.
<snip>
> Is the information we handle <i>that</i> sensitive?
I can see where you're both going with this, and they're both fair
comments/questions. However, for me the issue/concern is not so much
about 'access to the network' (MAC filtering) or the data in transit
per se, as the access credentials.
I administer most of the family (including extended family) computers
and I generally use VNC/ScreenSharing for much of this. I can also
'teach' family members to things because they can see what's
happening, as opposed to using shell access. It could be argued that
the 'plain' data that is transmitted (essentially the desktop/screen
contents) is not that sensitive and it doesn't matter if someone else
'sees' what is happening on screen.
However, in my opinion, the login credentials *are* sensitive and this
is irrespective of the *means* of connection - be that WiFi (at either
end) or the physical bit in the middle which does most of the work.
VNC, as wonderful an open source 'format' that it is, is woefully
insecure in it's raw state. There is absolutely no way that I would
open TCP ports 59xx on a router and login 'plain text'. If that
information were to be sniffed (at any point along the connection)
then that target box could easily be subsequently controlled as if one
were sitting at the machine. With that level of access, the machine is
as good as compromised. That's *bad* and absolutely to be avoided!
My approach to this is to specifically deny all connection attempts to
the VNC server except those from 127.0.0.1 (locahost) and, by using
SSH with port forwarding, this effectively secures VNC and 'ring
fences' my connection. My plain text username/password combo is no
longer plain text :-)
In the same vain, I use SSH with port forwarding for mounting remote
drives via (tunneled) AFP and other such tasks. SSH is *good*!!!
The idea of it being possible to achieve this on a Newton is very
appealing (to me) hence the original question.
Cheers,
John
More information about the NewtonTalk
mailing list