telnet / in.telnetd with encryption support
Hi ! I'd like to use telnet with encryption support. I took a look at the telnet.spm but I couldn't find any option for encryption. Has anybody tried this before and was succesful ? Cheers Bjoern
Bjoern Engels wrote:
Hi !
I'd like to use telnet with encryption support. I took a look at the telnet.spm but I couldn't find any option for encryption. Has anybody tried this before and was succesful ?
Uuuuh, why isn't it me having such innovative ideas? >:-P Did you try ssh/sshd? Martin -- Dipl.Math. Martin Peikert Discon GmbH IT-Security Engineer Wrangelstrasse 100 http://www.discon.de/ 10997 Berlin, Germany
On Thursday, 21. February 2002 14:24, Martin Peikert wrote:
I'd like to use telnet with encryption support. I took a look at the telnet.spm but I couldn't find any option for encryption. Has anybody tried this before and was succesful ?
Uuuuh, why isn't it me having such innovative ideas? >:-P
Did you try ssh/sshd?
Sure, but if you compare the history of telnet / ssh during the last years, ssh had lot's of security holes and I'm just aware of one hole in telnetd. *BSD comes out of the box with encryption support for telnet and I consider it not much less secure than ssh. I even think that unencrypted telnet _can_ be more secure than ssh (depending on the topology, of course). To get the telnet-password you still have to sniff the traffic - if ssh has one of those bufferoverflows or other problems again, you don't even need to do that - you just compile the exploit and root the machine.
Martin
Bjoern
Sure, but if you compare the history of telnet / ssh during the last years, ssh had lot's of security holes and I'm just aware of one hole in telnetd. *BSD comes out of the box with encryption support for telnet and I consider it not much less secure than ssh. I even think that unencrypted telnet _can_ be more secure than ssh (depending on the topology, of course). To get the telnet-password you still have to sniff the traffic - if ssh has one of those bufferoverflows or other problems again, you don't even need to do that - you just compile the exploit and root the machine.
Quite nice -a possible stand of view too. BUT, the problems related with ssh mostly depends on the login procedure, that tries to be secure. Telnet wont work that way, you do not need any xploit, you just have to sniff it out, as you say. Furthermore the traffic is encrypted too. But as i said - a possible stand of view Michael Appeldorn
Have you looked at deslogin? That's a good middleground target that behaves reasonably and has some redeeming virtues. #1) Cipher keyphrase at compile time. This is a little unusual if you are used to keygen and pub/private keys, but I find it works better (IMHO), but then I hate keys. #2) Encrypted pw file. Drawbacks: "weak" des cipher(whatever). If someone gets inside and can grab the deslogin binary they have the first part of a solution for cracking your deslogin trust group. Only passwords between you and the cracker then. The default login binary is the (maybe) vulnerable login shipped with your distro. If you like xinetd I have never gotten it to work with deslogin. Why, I don't know.
Bjoern Engels wrote:
On Thursday, 21. February 2002 14:24, Martin Peikert wrote:
I'd like to use telnet with encryption support. I took a look at the telnet.spm but I couldn't find any option for encryption. Has anybody tried this before and was succesful ?
Uuuuh, why isn't it me having such innovative ideas? >:-P
Did you try ssh/sshd?
Sure, but if you compare the history of telnet / ssh during the last years, ssh had lot's of security holes and I'm just aware of one hole in telnetd. *BSD comes out of the box with encryption support for telnet and I consider it not much less secure than ssh. I even think that unencrypted telnet _can_ be more secure than ssh (depending on the topology, of course). To get the telnet-password you still have to sniff the traffic - if ssh has one of those bufferoverflows or other problems again, you don't even need to do that - you just compile the exploit and root the machine.
Bjoern, I disagree with some of your comments. While telnet's encryption features prevent passive attacks to the flow of data (because it's encrypted), crypto telnet suffers from many types of man-in-the-middle attacks and the fact that an active attacker can inject malicious data into the connection init process to prevent the traffic from being encrypted. For more info, consult rfc2946, Telnet Data Encryption Option. IMO, telnet should not be used over insecure networks, with or without encryption. SSH (specially OpenSSH) may have had some security issues, but overall the level of implementation of cryptography, as well as the security-oriented design of SSH, make SSH the first choice for secure connections in most cases. It's also a question of the "looks" of your server; if an attacker scans your systems and discovers an open port 23, he/she might be more readily attack you, since crypto telnet is not very common and thus unknown to most of the exploit abusers. If you can't give up using telnet, I'd suggest setting up a SSH/VPN tunnel and route the telnet data through it.
Martin
Bjoern
Boris Lorenz
Bjoern Engels wrote:
Sure, but if you compare the history of telnet / ssh during the last years, ssh had lot's of security holes and I'm just aware of one hole in telnetd. *BSD comes out of the box with encryption support for telnet and I consider it not much less secure than ssh.
IIRC *BSD encryption support is only available if you use Kerberos - what about the security holes in telnetd with kerberos (see http://online.securityfocus.com/archive/1/200754)?
I even think that unencrypted telnet _can_ be more secure than ssh (depending on the topology, of course).
To get the telnet-password you still have to sniff the traffic - if ssh has one of those bufferoverflows or other problems again, you don't even need to do that - you just compile the exploit and root the machine.
I think we agree in this point: If noone can sniff the traffic you don't need encryption. If it is possible to sniff the traffic, encryption is, of course, recommended. If you need encrypted connections you can decide if you want to run telnetd and kerberos or sshd (or all three). In the first case, you have to watch the security holes of two apps, in the second it is only one. So if we need ancrypted connections, is telnetd with kerberos or sshd more secure? Or is it easier to watch the vulnerabilities of one or two apps? Martin -- Dipl.Math. Martin Peikert Discon GmbH IT-Security Engineer Wrangelstrasse 100 http://www.discon.de/ 10997 Berlin, Germany
What you're looking for, sounds like SSH to me: http://www.openssh.com Mit freundlichen Grüßen, Roman Dörr Systemtechniker Tel. +49 30 767151-14 -- tro:net GmbH Berlin Network & New Media Solutions Raumerstr. 22 10437 Berlin Tel. +49 30 767151-0 Fax +49 30 767151-13 Web www.tro.net -----Ursprüngliche Nachricht----- Von: Bjoern Engels [mailto:bengels@lanworks.de] Gesendet: Donnerstag, 21. Februar 2002 14:10 An: suse-security@suse.com Betreff: [suse-security] telnet / in.telnetd with encryption support Hi ! I'd like to use telnet with encryption support. I took a look at the telnet.spm but I couldn't find any option for encryption. Has anybody tried this before and was succesful ? Cheers Bjoern -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (6)
-
Bjoern Engels -
Boris Lorenz -
Martin Peikert -
Michael Appeldorn -
Roman Doerr -
ts