lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: andfarm at teknovis.com (Andrew Farmer) Subject: Re: Re: Re: open telnet port On 10 Sep 2004, at 04:42, ktabic wrote: > On Thu, 2004-09-09 at 14:39 +0100, Dave Ewart wrote: >>> How about, as a service to enable as you are updating SSH remotely >>> from the other side of the country to fix the most recent problem >>> security problem and need a backup system to get into the server in >>> the event that something goes wrong? >> >> Given that, in the above description, you're basically advocating that >> your *only* use of Telnet would be to send the root password across >> the >> 'net to troubleshoot SSH :-) > > Given that above description, there is no mention of anybody sending > anything that even looks like a password over the net in plain text. > Of course, most people would be, but not everyone. > You are also presuming that the root account even requires logging in, > which is also not nessercary. What, are you advocating that we set our root accounts to not require a password to log in? > There is nothing wrong with plain text at all, in most circumstances. > It's just that *everyone* has presumed that passwords that are a) > reused > for the next session and b) the root one, will be sent in plain text. As far as I know, there are no current Telnet server implementations that will encrypt login passwords (or other passwords entered during the login session: the user's password for su or sudo, gpg passphrases, ...) > Of course, if you know you are sending in plain text, you take steps to > make sure that nothing critical is transmitted in the first place, > which, imho is a better situation than relying totally on the fact you > are encrypted, which may or may not be true. Not plaintext === encrypted. What are you trying to say here? -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040910/0316f39d/PGP.bin
Powered by blists - more mailing lists