Re: telnet vs ssh [WAS: Re: Dropping telnetd and rsh* for security reasons?]
on Fri, May 16, 2003 at 10:56:26AM -0400, Mark Roach (firstname.lastname@example.org) wrote:
> On Fri, 2003-05-16 at 04:29, Paul Johnson wrote:
> > Not really. If people consistantly refuse to deal with some kinds of
> > software, then it *will* die out.
> ok, devil's advocate here, I can just as easily say that ssh ssl etc are
> all just kludges that have been filling the gap until "real" crypto
> finally takes its place. If I (and all the machines I communicate with)
> have opportunistic encryption using freeswan or the Next Big Thing, why
> wouldn't I want to use telnet? In that sort of scenario, ssh is
> redundant and cumbersome not to mention processor intensive waste of
> If people would just start implementing ipsec/dnssec on a broader scale,
> these interim technologies like ssh and ssl could just hurry up and die
> off already...
> </devil's advocate>
Because that's only part of the problem.
ssh: *authenticated*, *encrypted* remote access.
Telnet and FreeSWAN / ipsec essentially offer one side of the coin each:
telnet provides authentication (and with one-time passwords, reasonable
auth at that), but no security. FreeSWAN provides security but no
authentication. You need both pieces. It makes some sense to drop
these in at the application layer, tunelling over the app as needed.
Too: nested ipsec within ipsec layers (and if you don't think that's
going to happen, you haven't seen today's enterprise nested firewall
nightmare) introduces inefficiencies and latencies into communications.
For the times you simply need to pipe bits from one system to another,
there's still netcat.
Karsten M. Self <email@example.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Verio webhosting? Guaranteed downtime: