|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Full-Disclosure] Re: Re: Re: open telnet port
From: Andrew Farmer (andfarm
teknovis.com)
Date: Fri Sep 10 2004 - 16:16:43 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 10 Sep 2004, at 04:42, ktabic wrote:
> On Thu, 2004-09-09 at 14:39 +0100, Dave Ewart wrote:
>>> How about, as a service to enable as you are updating SSH remotely
>>> from the other side of the country to fix the most recent problem
>>> security problem and need a backup system to get into the server in
>>> the event that something goes wrong?
>>
>> Given that, in the above description, you're basically advocating that
>> your *only* use of Telnet would be to send the root password across
>> the
>> 'net to troubleshoot SSH :-)
>
> Given that above description, there is no mention of anybody sending
> anything that even looks like a password over the net in plain text.
> Of course, most people would be, but not everyone.
> You are also presuming that the root account even requires logging in,
> which is also not nessercary.
What, are you advocating that we set our root accounts to not require
a password to log in?
> There is nothing wrong with plain text at all, in most circumstances.
> It's just that *everyone* has presumed that passwords that are a)
> reused
> for the next session and b) the root one, will be sent in plain text.
As far as I know, there are no current Telnet server implementations
that
will encrypt login passwords (or other passwords entered during the
login
session: the user's password for su or sudo, gpg passphrases, ...)
> Of course, if you know you are sending in plain text, you take steps to
> make sure that nothing critical is transmitted in the first place,
> which, imho is a better situation than relying totally on the fact you
> are encrypted, which may or may not be true.
Not plaintext === encrypted.
What are you trying to say here?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFBQhm7Pa6RRaKl0ScRAg7GAJ9fzPy4vgebLzxgSFypC+jJ5CRFsgCg696+
0yxviwsl+2/cYDn9Yv0F7II=
=/p9A
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]