[Ma-linux] Re: SSH and Telnet

[Peter Larsen]

Michael Stone wrote:
> On Wed, Feb 14, 2007 at 01:55:41PM -0500, Peter Larsen wrote:
>> But one thing puzzles me with your "rant"; I don't see how/where you 
>> claim telnet would EVER be more secure than ssh?
> 
> When you want to see what's happening on the session. 

I don't follow you. First you discuss how insecure it is, and now your 
argument for not using it, is it's too secure??  I can understand why 
ssh complicates matters if you want to use honey pots, but there are 
lots of ways around that. Anyway, that's a very specific purpose; 
generally I don't need to spy on the session per say; I can trust my 
syslog messages if the session tries to go beyond it's limits.

> When you're 
> operating on a trusted local network. 

That still doesn't address why telnet is more secure? You're just saying 
that in some cases, lower layers provides encryption, so why double up? 
And I answered that - because ssh has a ton of other features, which 
allows you to simply what runs on your box. Besides, IPSEC usually runs 
external to the network only. Lots of threats are internally - more than 
likely that's where any attack will come from - so securing your 
administration links between hosts seems a very straight forward 
solution to minimize that risk.

> When you're using another 
> mechanism such as ipsec to handle the encryption. Etc. 

That still doesn't make telnet more secure or better?? If you choose 
telnet because you want to be able to trace the session, that's 
basically an argument for keeping things insecure?

> Remember that 
> "security" isn't a binary condition. Again, ssh addresses mitigates some 
> risks and opens others; I'm not going to go through that list again. 

I didn't want you to. I agree that SSH has it's problems. I didn't see 
anyone claim otherwise? I have just never seen anyone compare telnet and 
ssh and found any case where telnet would win? That's what puzzled me 
here. Nothing more.

> If 
> the risks that ssh mitigates are less important to you than those that 
> it adds, then it's not the right tool for you. If the opposite is true, 
> than it is the right tool.

But SSH is so much more than just a terminal. There are lots of other 
reasons than a terminal to use ssh. Why keep both around?

>> one of my standard sshd.conf settings is to deny root logins. Try that 
>> with telnet!
> 
> Umm, that's been the default for what, a decade or two?

Has it? Not due to telnet, but to the stacks upon telnet runs. And 
that's fine but still it shows why telnet and ssh can't really be 
compared security wise?

>> Do I use telnet? Sure I do - but not as a terminal. To debug different 
>> protocols, 
> 
> That has nothing to do with the telnet protocol, you're just using the 
> telnet command to open straight tcp session (which is *not* what happens 
> with the telnet protocol). If you used "nc" to do that you'd get the 
> same result (and there'd probably be less confusion).

nc doesn't have the ability to drop to shell.  In cases such as http I 
surely do prefer to use telnet and get characters such as ch/cr 
interpreted for me. It's more than merely a raw dump of a character 
stream.  But this is straying off topic.

Personally I would never use a telnet server again. Not because I think 
ssh is 100% secure; but because it's better than telnet, both in 
security and in features. No need to setup telnet, nfs or other tunnel 
systems. No need to configure rshd and other of the old remote 
management protocols. I have all that built into ssh. It even does X 
forwarding with is one of the features I use most. None of those 
features are available with telnet.

If I wanted to trace what was going on, on a honey-pot I would probably 
simply hack bash etc and have it duplicate all input etc. to a remote 
file/syslog.

Regards
   Peter Larsen