[Ma-linux] Re: SSH and Telnet
plarsen at famlarsen.homelinux.com
Wed Feb 14 16:48:39 EST 2007
Michael Stone wrote:
> On Wed, Feb 14, 2007 at 01:55:41PM -0500, Peter Larsen wrote:
>> But one thing puzzles me with your "rant"; I don't see how/where you
>> claim telnet would EVER be more secure than ssh?
> When you want to see what's happening on the session.
I don't follow you. First you discuss how insecure it is, and now your
argument for not using it, is it's too secure?? I can understand why
ssh complicates matters if you want to use honey pots, but there are
lots of ways around that. Anyway, that's a very specific purpose;
generally I don't need to spy on the session per say; I can trust my
syslog messages if the session tries to go beyond it's limits.
> When you're
> operating on a trusted local network.
That still doesn't address why telnet is more secure? You're just saying
that in some cases, lower layers provides encryption, so why double up?
And I answered that - because ssh has a ton of other features, which
allows you to simply what runs on your box. Besides, IPSEC usually runs
external to the network only. Lots of threats are internally - more than
likely that's where any attack will come from - so securing your
administration links between hosts seems a very straight forward
solution to minimize that risk.
> When you're using another
> mechanism such as ipsec to handle the encryption. Etc.
That still doesn't make telnet more secure or better?? If you choose
telnet because you want to be able to trace the session, that's
basically an argument for keeping things insecure?
> Remember that
> "security" isn't a binary condition. Again, ssh addresses mitigates some
> risks and opens others; I'm not going to go through that list again.
I didn't want you to. I agree that SSH has it's problems. I didn't see
anyone claim otherwise? I have just never seen anyone compare telnet and
ssh and found any case where telnet would win? That's what puzzled me
here. Nothing more.
> the risks that ssh mitigates are less important to you than those that
> it adds, then it's not the right tool for you. If the opposite is true,
> than it is the right tool.
But SSH is so much more than just a terminal. There are lots of other
reasons than a terminal to use ssh. Why keep both around?
>> one of my standard sshd.conf settings is to deny root logins. Try that
>> with telnet!
> Umm, that's been the default for what, a decade or two?
Has it? Not due to telnet, but to the stacks upon telnet runs. And
that's fine but still it shows why telnet and ssh can't really be
compared security wise?
>> Do I use telnet? Sure I do - but not as a terminal. To debug different
> That has nothing to do with the telnet protocol, you're just using the
> telnet command to open straight tcp session (which is *not* what happens
> with the telnet protocol). If you used "nc" to do that you'd get the
> same result (and there'd probably be less confusion).
nc doesn't have the ability to drop to shell. In cases such as http I
surely do prefer to use telnet and get characters such as ch/cr
interpreted for me. It's more than merely a raw dump of a character
stream. But this is straying off topic.
Personally I would never use a telnet server again. Not because I think
ssh is 100% secure; but because it's better than telnet, both in
security and in features. No need to setup telnet, nfs or other tunnel
systems. No need to configure rshd and other of the old remote
management protocols. I have all that built into ssh. It even does X
forwarding with is one of the features I use most. None of those
features are available with telnet.
If I wanted to trace what was going on, on a honey-pot I would probably
simply hack bash etc and have it duplicate all input etc. to a remote
More information about the Ma-linux