lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: andfarm at teknovis.com (Andrew Farmer)
Subject: Re: Re: Re: open telnet port

On 10 Sep 2004, at 04:42, ktabic wrote:
> On Thu, 2004-09-09 at 14:39 +0100, Dave Ewart wrote:
>>> How about, as a service to enable as you are updating SSH remotely
>>> from the other side of the country to fix the most recent problem
>>> security problem and need a backup system to get into the server in
>>> the event that something goes wrong?
>>
>> Given that, in the above description, you're basically advocating that
>> your *only* use of Telnet would be to send the root password across 
>> the
>> 'net to troubleshoot SSH :-)
>
> Given that above description, there is no mention of anybody sending
> anything that even looks like a password over the net in plain text.
> Of course, most people would be, but not everyone.
> You are also presuming that the root account even requires logging in,
> which is also not nessercary.

What, are you advocating that we set our root accounts to not require
a password to log in?

> There is nothing wrong with plain text at all, in most circumstances.
> It's just that *everyone* has presumed that passwords that are a) 
> reused
> for the next session and b) the root one, will be sent in plain text.

As far as I know, there are no current Telnet server implementations 
that
will encrypt login passwords (or other passwords entered during the 
login
session: the user's password for su or sudo, gpg passphrases, ...)

> Of course, if you know you are sending in plain text, you take steps to
> make sure that nothing critical is transmitted in the first place,
> which, imho is a better situation than relying totally on the fact you
> are encrypted, which may or may not be true.

Not plaintext === encrypted.

What are you trying to say here?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040910/0316f39d/PGP.bin

Powered by blists - more mailing lists