Re: Re: Re: Re: open telnet port

[ktabic <lists () ktabic co uk>]

On Thu, 2004-09-09 at 14:39 +0100, Dave Ewart wrote:
> > How about, as a service to enable as you are updating SSH remotely
> > from the other side of the country to fix the most recent problem
> > security problem and need a backup system to get into the server in
> > the event that something goes wrong?

> Given that, in the above description, you're basically advocating that
> your *only* use of Telnet would be to send the root password across the
> 'net to troubleshoot SSH :-)
Given that above description, there is no mention of anybody sending
anything that even looks like a password over the net in plain text.
Of course, most people would be, but not everyone.
You are also presuming that the root account even requires logging in,
which is also not nessercary.
There is nothing wrong with plain text at all, in most circumstances.
It's just that *everyone* has presumed that passwords that are a) reused
for the next session, and b) the root one, will be sent in plain text.
Of course, if you know you are sending in plain text, you take steps to
make sure that nothing critical is transmitted in the first place,
which, imho is a better situation than relying totally on the fact you
are encrypted, which may or may not be true.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html