1 |
On Sat, 17 Jun 2006 23:45:43 +0200 |
2 |
Alexander Skwar wrote: |
3 |
|
4 |
> Mick wrote: |
5 |
> > On 17/06/06, Raymond Lewis Rebbeck <dystopianray@×××××.com> wrote: |
6 |
> > |
7 |
> >> You cannot use an ssh client in this manner. |
8 |
> >> |
9 |
> >> If you want a telnet client, emerge either netkit-telnetd or telnet-bsd. |
10 |
> > |
11 |
> > Thanks for all the replies. I had not emerged telnet so far because |
12 |
> > of potential security reasons. Is netcat better in that respect? |
13 |
> |
14 |
> I actually know of no security problems with telnet. To which |
15 |
> are you referring (note: telnet, not telnetd)? |
16 |
> |
17 |
> Alexander Skwar |
18 |
|
19 |
I think this thread needs clarification (not specifically you |
20 |
Aleaxander) |
21 |
|
22 |
The problem with the telnet is mainly plain text passwords - your login |
23 |
to a telnet server is plain text and easily snooped. |
24 |
|
25 |
But using telnet to connect to a smtp server or web server for testing |
26 |
purposes poses no threats. If you have to pass plain text credentials |
27 |
via telnet (eg to log in to a pop or imap server) then the risk is |
28 |
exactly the same as when your email client passes a plain text password |
29 |
to the imap or pop server. In both cases it can be snooped. |
30 |
|
31 |
If the service you want to log into is protected with an ssl wrapper |
32 |
then tuse the openssl program to log in. For example to connect to my |
33 |
imap server (from the same machine) |
34 |
|
35 |
openssl s_client -host localhost -port 993 |
36 |
|
37 |
openssl responds with a whole lot of info about the certificate and so |
38 |
on then you can type away just like a telnet session (but encrypted) |
39 |
|
40 |
eg: |
41 |
|
42 |
nick@www ~ $ openssl s_client -host localhost -port 993 |
43 |
|
44 |
(openssl spews out a whole lot of stuff about the certificate) |
45 |
|
46 |
Then the imap server's opening greeting: |
47 |
|
48 |
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2005 Double Precision, Inc. See COPYING for distribution information. |
49 |
|
50 |
Then I type (responses are marked >> for clarity: |
51 |
|
52 |
1 login nick xxxxxxxx |
53 |
>>1 OK LOGIN Ok. |
54 |
2 logout |
55 |
>>* BYE Courier-IMAP server shutting down |
56 |
>>2 OK LOGOUT completed |
57 |
|
58 |
|
59 |
This is exactly the exchange I get if I telnet to the non ssl port 143, |
60 |
except telnet to port 143: |
61 |
|
62 |
1. doesn't do a key exchange etc |
63 |
|
64 |
2. is plain text and snoopable. |
65 |
|
66 |
|
67 |
> -- |
68 |
> gentoo-user@g.o mailing list |
69 |
|
70 |
-- |
71 |
Nick Rout <nick@×××××××.nz> |
72 |
|
73 |
-- |
74 |
gentoo-user@g.o mailing list |