Mailinglist Archive: opensuse-security (138 mails)

< Previous Next >
Re: [suse-security] Re: Why Install Telnet by Default?
  • From: John Summerfield <suse@xxxxxxxxxxxxxxxxxxxxxx>
  • Date: Fri, 09 Dec 2005 08:39:33 +0800
  • Message-id: <4398D245.8040600@xxxxxxxxxxxxxxxxxxxxxx>
Randall R Schulz wrote:
> John,
>
> On Thursday 08 December 2005 09:02, John Summerfield wrote:
>> Randall R Schulz wrote:
>>> Allen,
>>>
>>> On Thursday 08 December 2005 08:37, Allen wrote:
>>>> Telnet is only insecure because it sends usernames and passwords
>>>> in the clear and that's a bad idea over the internet because it
>>>> can be snooped. However, on a LAN where you want to tinker, this
>>>> is fine.
>>> It's also not secure in that it sends _all_ the data, inbound and
>>> outbound, unencrypted.
>> Just like postfix, sendmail, exim, qmail, zmailer and every other
>> MTA.
>
> So? My point is no less valid because it applies elsewhere, too.

telnet's the least of the hazards (in terms of its use), the greatest
(in terms of thw warnings).
>
>
>> More people send more confidential data by unencrypted email than
>> they do by telnet, and I don't recall anyone saying "don't use
>> email."
>
> More people are fools than wise, yes?
>
>
>> Yeah, sometimes someone mentions it's insecure, usually they don't say
>> why, but as soon as someone mentions telnet, they say, Ooh, don't do
>> that, it's insecure."
>>
>> It's the telnet _protocol_ that lacks security features: don't blame
>> the servers and clients for doing what the telnet STDs say they must.
>
> I didn't think there was any blame going on here.

I don't know about that, some wre saying "telnet" by which one usually
means the telnet client program, some said "telnetd" referring to the
server (and so accepting "telnet" refers to the client).
>
> And if you're going to take that approach, then you must acknowledge
> that there are secure email transfer formats that are widely
> implemented.
>
>
>> I use ssh rather than telnet, rsh, rexec etc because it's more
>> convenient. Mostly, I control the wire or go through a vpn I control.
>
> That depends, I guess, on how you define convenience. I know of nothing
> about configuring or using SSH-based services that is more convenient
> than using plain old (non-secure) telnet. (Even if SSH-based services
> are taken out of the picture entirely, I still have to type several
> passwords many times each day, so keyed access isn't going to make my
> life much more convenient.)

Using ssh, I can arrange for secure passwordless authentication. That's
a greate convenience I could never achieve with telnet, though I did
sort of fudge it with an expect script.

ssh can forwar X sessions so I can run kpat on a remote computer, with
the display on mine. That's a great convenience I could manage wiht rsh
only by allowing all X connexions to all computers I'd want to run kpat
on. Doubtless you'd see security problems with that.

More seriously than kpat, I generally do software updates in a remote
xterm displaying locally. It's a great convenience that I don't have to
fiddle with rhosts and use xhost for every combination of system I might
want to maintain and computer from which I want to do it and that
changes in IP address and/or host name at either end don't matter.

It's often useful that ssh can forward ports, so I can use a port number
on my system (a laptop right now) to access a service on any LAN where I
can connect This is a greate convenience when
1. I need to reconfigure an http-based router, printer etc on a LAN that
I can reach, where the device doesn't know where _I_ am.
2. I need to connect to an IPP printer on the office LAN from home: I
can forware a port from my home desktop to my office desktop and have at it.
3. Ditto, connecting to a work database.

The convenience of passwordless authenticated login extends to other
facilities such as scp, rsync, tar (shoulkd I want to backup to a remote
tape drive) and plain ordinary file copying, whether ising tar, dd or
something else, over a pipe.

The fact that these connexions are encrytpted is nice, of course, and I
might even put up with some inconvenience sometimes to obtain those
benefits, but I don't have tomake the choice, in my ordinary use they
are completely unimportant.

It's when using security is more convenient that not using it that most
people will use security.

I'm sure that, even in these times, if you surveyed homes or cars in
your local suburb, you'd find a few unlocked (even when unattended),
because locking them is inconvenient.

< Previous Next >