'we should all be uncomfortable with the extent to which luck ..'

Stephen J. Wilcox steve at opaltelecom.co.uk
Wed Jul 25 19:06:24 UTC 2001

> > telnetd is not inherently bad.  It is a tool that is lacking the
> > session encryption and strong authentication features of SSH, but is
> > still useful in some cases.  Like any tool it can be used poorly, but
> > that is not the fault of the tool.
> > 
> > For example, when traveling, I can log in securely from any random
> > Internet cafe using OPIE or S/Key one-time passwords via telnet.  SSH
> > requires that you trust your local machine, and OPIE assumes that you
> > don't.
> > 
> > David
> > 
> > -- 
> >    David Shaw  |  dshaw at jabberwocky.com  |  WWW http://www.jabberwocky.com/
> > +---------------------------------------------------------------------------+
> >    "There are two major products that come out of Berkeley: LSD and UNIX.
> >       We don't believe this to be a coincidence." - Jeremy S. Anderson
> > 
> You may not expose your password to get into your network but, you do
> expose everything else that happens on the connection, including the
> passwords to devices that do not use/support OPIE or S/Key
> authentication.  You can run an SSH client in a java applet in nearly any
> browser.  If some devices on your network don't support ssh, ssh into
> something that does and from there, telnet to the devices that don't.

John, I think you miss the point. David is saying he can gain access to
devices from untrusted hosts not supporting hardly any services such as
ssh when he needs to with telnet. An application which I agree with to
some degree.

In the past I've used similar telnet backdoors to gain access when in the
field and theres been a crisis. That is where they have their use.. as you
say, if you use it all the time then you run the risk albeit a small one
of being snooped.

FYI at present I have no telnet access.. perhaps I'm paranoid! :)


More information about the NANOG mailing list