On Tue, 2014-11-11 at 07:44 -0800, Michael Thomas wrote:
On 11/11/2014 01:05 AM, Karl Auer wrote:
Someone who puts a real switch doing real work on the Internet with working telnet access is asking to have at least the switch compromised very quickly.
How so? Assuming that you're using password auth, the real vulnerability is somebody figuring out the password and owning the box. SSH certainly helps here immensely with rsa auth, but only if you use it.
Well - yes. That's sort of my point. If you are going to send a password over a network, make sure it's encrypted. Telnet isn't encrypted.
An active MITM attack or passive snooping on telnet streams seems like it would be orders of magnitude less dangerous on a list of threats. SSH is definitely a Good Thing, but it's not a sliver bullet.
I didn't say it was. I just said that sending passwords in clear text over the network is a very bad idea. Telnet does that, so using telnet is a very bad idea. Use ssh, and the problem is gone. There are other ways to make the problem disappear, and obviously neither they nor ssh will protect you if you do any of a dozen other silly things. Don't use telnet access for management of anything valuable unless you own every inch of the path from you to it, or unless you can encrypt the channel via other means. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389 GPG fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882 Old fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A