Bjoern Engels wrote:
Sure, but if you compare the history of telnet / ssh during the last years, ssh had lot's of security holes and I'm just aware of one hole in telnetd. *BSD comes out of the box with encryption support for telnet and I consider it not much less secure than ssh.
IIRC *BSD encryption support is only available if you use Kerberos - what about the security holes in telnetd with kerberos (see http://online.securityfocus.com/archive/1/200754)?
I even think that unencrypted telnet _can_ be more secure than ssh (depending on the topology, of course).
To get the telnet-password you still have to sniff the traffic - if ssh has one of those bufferoverflows or other problems again, you don't even need to do that - you just compile the exploit and root the machine.
I think we agree in this point: If noone can sniff the traffic you don't need encryption. If it is possible to sniff the traffic, encryption is, of course, recommended. If you need encrypted connections you can decide if you want to run telnetd and kerberos or sshd (or all three). In the first case, you have to watch the security holes of two apps, in the second it is only one. So if we need ancrypted connections, is telnetd with kerberos or sshd more secure? Or is it easier to watch the vulnerabilities of one or two apps? Martin -- Dipl.Math. Martin Peikert Discon GmbH IT-Security Engineer Wrangelstrasse 100 http://www.discon.de/ 10997 Berlin, Germany