telnet

Rick Stevens rstevens at vitalstream.com
Wed Mar 9 17:30:22 UTC 2005 

inode0 wrote:
> On Tue, 08 Mar 2005 16:14:27 -0800, Rick Stevens
> <rstevens at vitalstream.com> wrote:
> 
>>inode0 wrote:
>>
>>>Good advice in general but encrypted telnet is available on RHEL and
>>>FC distributions if you are in an environment supporting it.
>>
>>Encrypted telnet is fairly rare.  If you have it, you undoubtedly can
>>have ssh, and I still vote for ssh.
> 
> 
> It is one of the few athena type environments with kerberos and afs.
> The combination of needing tokens to get to your home directory,
> needing to authenticate to kerberos to get the tokens, and sshd cause
> something of a chicken and egg problem resulting in having to, in
> essence, login twice to use ssh on incoming connections. The powers
> that be don't run sshd on these machines for accounting reasons, so we
> don't have that option even if we wished to choose it.

I see your point.  Obviously you have designed a pretty secure network 
and etelnet is appropriate for that.

>>Any environment that permits unencrypted telnet is dangerous if the
>>network isn't secure.  Again, if you have etelnet, you sure as heck can
>>have ssh.  And I can't recall if etelnet encrypts the initial logon
>>sequence if you don't have "-a valid" or "-a user" enabled.
> 
> 
> Generally forwarded tickets are used to authenticate so no passwords
> go across the network in any case. Unencrypted telnet is clearly
> dangerous and that is why it isn't even an option in this environment.
> If you don't negotiate an encrypted session, telnetd says goodbye to
> you.

Ah.  I wasn't clear that you had deployed Kerberos.  Most of my
objections evaporate in that case.

> 
> I completely agree with the gist of everything you've said. My only
> point is that encrypted telnet does exist and is useful when other
> options are unavailable. I see telnet portrayed as insecure so often
> that occasionally I feel the need to point out that, while it is true
> that it generally is insecure, it doesn't have to be insecure. In the
> world I live in, telnet is both secure and valuable.
> 
> It doesn't have anything to do with installing Red Hat stuff though,
> so I'll apologize for butting in with this and quietly butt back out
> now.

No, no.  Jump in whenever you think you have something germane to the
discussion.  I appologize for not quite getting what your environment
was.

I often jump on the "don't ever use telnet" cart because the vast
majority of the audience of this and the fedora-list are relative
newbies and don't realize the security problems of standard telnet.
They launch the telnet daemon, get hacked, and wonder why.  I'm simply
trying to prevent the from "learning the hard way".
> 
> John
> 
> _______________________________________________
> Redhat-install-list mailing list
> Redhat-install-list at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-install-list
> To Unsubscribe Go To ABOVE URL or send a message to:
> redhat-install-list-request at redhat.com
> Subject: unsubscribe
> 


-- 
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-           What is a "free" gift?  Aren't all gifts free?           -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list