On Nov 24, 2014, at 3:46 PM, Warren Young <wyml at etr-usa.com> wrote:> Now compare telnet: always vulnerable, all the time, since the day it was created, before most of the people on this list were born:Technically, you can run kerberized (krb5) telnet/telnetd, and it's not quite as insecure as unkerberized telnet. The telnet protocol supports security measures, but most people just use OpenSSH (which can do a lot more) so there's little effort being made to widely use it. I doubt the OP was setting up krb5 telnetd, though. -- Jonathan Billings <billings at negate.org>
On Nov 24, 2014, at 6:04 PM, Jonathan Billings <billings at negate.org> wrote:> On Nov 24, 2014, at 3:46 PM, Warren Young <wyml at etr-usa.com> wrote: >> Now compare telnet: always vulnerable, all the time, since the day it was created, before most of the people on this list were born: > > Technically, you can run kerberized (krb5) telnet/telnetd, and it's not quite as insecure as unkerberized telnet.That only protects the authentication stage. You have to add RFC 2946 encryption or TLS to encrypt the rest of the conversation, something you get for free with SSH. Then having done that, you get to seek out the rare clients that can speak these protocol extensions, whereas all SSH clients do what you want as a matter of course. It doesn?t look like CentOS 7?s in.telnetd supports this anyway. I base that on two bits of evidence: 1. The man page: " -a authmode ...not available in the current version.? 2. ldd /usr/sbin/in.telnetd doesn?t show that it?s linked to libgssapi.
On Tue, Nov 25, 2014 at 10:42:18AM -0700, Warren Young wrote:> It doesn?t look like CentOS 7?s in.telnetd supports this anyway. I > base that on two bits of evidence: > > 1. The man page: " -a authmode ...not available in the current version.? > > 2. ldd /usr/sbin/in.telnetd doesn?t show that it?s linked to libgssapi.You'd have to use the clients in krb5-appl-clients and the telnetd in krb5-appl-servers. The 'telnet' in krb5-appl-clients has an -x flag that encrypts the data stream. I never use any of this anymore. In fact, the only reason why I used kerberized telnet was back before OpenSSH was as widespread, and encrypted telnet was less overhead on the really old Suns I used. I just wanted to point out that the 'telnet' protocol is more than plain text. -- Jonathan Billings <billings at negate.org>