Re: Re: Re: Re: open telnet port

[Andrew Farmer <andfarm () teknovis com>]

On 10 Sep 2004, at 04:42, ktabic wrote:
> On Thu, 2004-09-09 at 14:39 +0100, Dave Ewart wrote:
> > > How about, as a service to enable as you are updating SSH remotely
> > > from the other side of the country to fix the most recent problem
> > > security problem and need a backup system to get into the server in
> > > the event that something goes wrong?
> >
> > Given that, in the above description, you're basically advocating that
> > your *only* use of Telnet would be to send the root password across 
> > the
> > 'net to troubleshoot SSH :-)
>
> Given that above description, there is no mention of anybody sending
> anything that even looks like a password over the net in plain text.
> Of course, most people would be, but not everyone.
> You are also presuming that the root account even requires logging in,
> which is also not nessercary.

What, are you advocating that we set our root accounts to not require
a password to log in?

> There is nothing wrong with plain text at all, in most circumstances.
> It's just that *everyone* has presumed that passwords that are a) 
> reused
> for the next session and b) the root one, will be sent in plain text.

As far as I know, there are no current Telnet server implementations 
that
will encrypt login passwords (or other passwords entered during the 
login
session: the user's password for su or sudo, gpg passphrases, ...)

> Of course, if you know you are sending in plain text, you take steps to
> make sure that nothing critical is transmitted in the first place,
> which, imho is a better situation than relying totally on the fact you
> are encrypted, which may or may not be true.

Not plaintext === encrypted.

What are you trying to say here?

Attachment: PGP.sig
Description: This is a digitally signed message part