Rick Stevens wrote:
And I'd think long and hard before I'd install telnet since
it is
completely insecure and one of the easiest protocols to hack. If your
machine even BRUSHES up against the Internet, do NOT have telnet
installed! You're asking for trouble.
First off, any network daemon that is open to connections is a security
problem, simply because it will contain bugs and they may well be
exploitable.
That said, an unused telnet daemon is inherently *more* secure than an
unused SSH daemon with password logins enabled -- the protocol is much
simpler, and there's much less code that has to be run against
unauthenticated connections. Less code means there's less places for
bugs to hide.
The only -- only -- security advantage that password-based SSH has over
telnet is that SSH connections are encrypted and hence can't be
eavesdropped. [1] If there are no connections, then there is no
advantage to SSH (either over telnet or a machine that doesn't run any
un-needed services). If those connections are secured some other way
(e.g. a VPN) then a telnet connection is not inherently insecure.
And there are other protocols (e.g. traditional NFS, or rsh) that are a
lot more insecure, since they *can* be compromised without
password-sniffing.
Having said all *that*, SSH with public key authorisation does have very
real security advantages, and SSH can be a good bit more convenient.
The telnet *client* does have uses beyond connecting to telnet
servers -- it's very useful when troubleshooting certain sorts of e-mail
problems, for example.
My sig-monster's on the ball again...
James.
[1] Please -- this is not an invitation to re-open the NSA thread!
--
E-mail: james@ | ... more holes in Internet Explorer than Blackburn,
aprilcottage.co.uk | Lancashire...
| --
http://theinquirer.net/?article=17235