[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Authentication for telnet.

On Mon, 09 Dec 2019 08:21:27 -0800
peter@easthope.ca wrote:

> > telnetd is INSECURE and SHOULD NOT BE USED unless you have ... 
> > EXPLICITLY STATED reason.  
> 
> Where is that policy published?  Where should the description of use 
> be submitted for approval?

I have no idea whose policy you refer to, so I don't know if it's policy
or not. One of the main reasons telnet is deprecated is because it
sends passwords in the clear, so a malevolent snooper can harvest
passwords.

> 
> A session is routinely opened with xterm, gnome-terminal, lxterm and 
> etc. without authentication.  Why is authentication so necessary for 
> "telnet localhost"?

telnet localhost was not the typical use case. I suspect a malevolent
user on the same computer might be able to sniff passwords and other
traffic from memory. Since you are probably the sole user on your
computer, that is an unlikely scenario. Remember that Unix security
evolved in a day when Unix boxen were multi-user, and one (especially
administrators) could not assume benevolence on the part of all users.

Be aware of risks, and assess your own situation accordingly. If you
still prefer to use telnet, go for it.

-- 
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/
Reply to: