telnet

inode0 inode0 at gmail.com
Wed Mar 9 04:08:45 UTC 2005 

On Tue, 08 Mar 2005 16:14:27 -0800, Rick Stevens
<rstevens at vitalstream.com> wrote:
> inode0 wrote:
> > Good advice in general but encrypted telnet is available on RHEL and
> > FC distributions if you are in an environment supporting it.
> 
> Encrypted telnet is fairly rare.  If you have it, you undoubtedly can
> have ssh, and I still vote for ssh.

It is one of the few athena type environments with kerberos and afs.
The combination of needing tokens to get to your home directory,
needing to authenticate to kerberos to get the tokens, and sshd cause
something of a chicken and egg problem resulting in having to, in
essence, login twice to use ssh on incoming connections. The powers
that be don't run sshd on these machines for accounting reasons, so we
don't have that option even if we wished to choose it.
 
> > Agreed when you have the choice. I know of one largish environment
> > with between 30 and 40 thousand users where both ssh and unencrypted
> > telnet are unavailable in places. Encrypted telnet is your only
> > choice. I very much appreciate that Red Hat provides support for this.
> 
> Any environment that permits unencrypted telnet is dangerous if the
> network isn't secure.  Again, if you have etelnet, you sure as heck can
> have ssh.  And I can't recall if etelnet encrypts the initial logon
> sequence if you don't have "-a valid" or "-a user" enabled.

Generally forwarded tickets are used to authenticate so no passwords
go across the network in any case. Unencrypted telnet is clearly
dangerous and that is why it isn't even an option in this environment.
If you don't negotiate an encrypted session, telnetd says goodbye to
you.

I completely agree with the gist of everything you've said. My only
point is that encrypted telnet does exist and is useful when other
options are unavailable. I see telnet portrayed as insecure so often
that occasionally I feel the need to point out that, while it is true
that it generally is insecure, it doesn't have to be insecure. In the
world I live in, telnet is both secure and valuable.

It doesn't have anything to do with installing Red Hat stuff though,
so I'll apologize for butting in with this and quietly butt back out
now.

John

More information about the Redhat-install-list mailing list