Kind of sad
kauer at biplane.com.au
Tue Nov 11 21:22:05 UTC 2014
On Tue, 2014-11-11 at 07:44 -0800, Michael Thomas wrote:
> On 11/11/2014 01:05 AM, Karl Auer wrote:
> > Someone who puts a real switch doing real work on the Internet with
> > working telnet access is asking to have at least the switch
> > compromised very quickly.
> How so? Assuming that you're using password auth, the real
> vulnerability is somebody figuring out the password and owning the
> box. SSH certainly helps here immensely with rsa auth, but only if you
> use it.
Well - yes. That's sort of my point. If you are going to send a password
over a network, make sure it's encrypted. Telnet isn't encrypted.
> An active MITM attack or passive snooping on telnet streams seems like
> it would be orders of magnitude less dangerous on a list of threats.
> SSH is definitely a Good Thing, but it's not a sliver bullet.
I didn't say it was. I just said that sending passwords in clear text
over the network is a very bad idea. Telnet does that, so using telnet
is a very bad idea. Use ssh, and the problem is gone. There are other
ways to make the problem disappear, and obviously neither they nor ssh
will protect you if you do any of a dozen other silly things.
Don't use telnet access for management of anything valuable unless you
own every inch of the path from you to it, or unless you can encrypt the
channel via other means.
Karl Auer (kauer at biplane.com.au)
GPG fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882
Old fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A
More information about the NANOG