Re: [TCLUG:20646] Root login

[^chewie <chewie@wookimus.net>]

On Thu, Aug 24, 2000 at 12:14:37PM -0500, Dave Sherohman wrote:
> ^chewie said:
> > Telnetd isn't bad, really.  As long as you provide the SSL layer to
> > it. ;-) Purge the standard, unencrypted telnetd with the much better
> > telnetd-ssl ;-).  SSH is nice, but it isn't the ONLY answer.
> 
> Except, IIRC, telnet-ssl falls back to standard telnet if the other end isn't
> using SSL.  If you're running the telnet-ssl client, you get a nice little
> warning that encryption isn't available and you can decide whether to
> continue and all is good in the world.  However, if the telnet-ssl server
> falls back to plaintext, it's just as bad as running (that connection over) a
> non-SSL-enabled telnetd - passwords for accounts on your system are still
> made available to anyone with a packet sniffer.

The same could be said for a server whose ssh daemon is down and won't restart.
If the services aren't there, you can't take advantage of them.  Telnet+ssl is
just that, telnet + ssl authentication.  You may even be able to encrypt the
session.  It is no where near as beefy as ssh, which is really a secure
replacement of a number of services, rcp, rsh, rlogin, x-proxy, etc, but it
does what's needed of it w/o a lot of overhead or extra garbage.  In any event,
Telnetd+ssl is a good backup in the even that your ssh daemon isn't working.

The argument of which is better is irrelavent.  They were designed with
different goals in mind.

Regarding the issue of remote root login, it should not be done using either
technology.  Regarding ssh's use of RSA, login-less connections, your security
is only as good as the trust for the machine you're using.  There are a lot of
policy decisions that may be influenced by the tools you have, but providing
multiple tools is not a bad thing in and of itself.

-- 
Chad "^chewie" Walstrom <chewie@wookimus.net>
        http://wookimus.net/chewie

PGP signature