On Tue, 16 Sep 2003, Louie Miranda wrote: > Hello, > > > So what advantage does telnet-ssl have over SSH? so that we can see who > pees > > highest? > > My only point is telnet with ssl is not sending a plain text, and the fact > that ssh also uses ssl. Only ssh has a lot more extra functionality. Remove > secure connection over ssh, it will be a plain remote login terminal like > telnet. Only ssl adds flavor to its connection by encrypting it, and many > more... i know offcourse we all know that. > > > I don't see the point of this thread. Is this a pissing contest? > > Its not, just explaining. >
Ok, then allow me to explain something more, for everyone's benefit. If the issue were simple encryption of data being sent through the transit medium, then you are absolutely 100% correct. There is NO difference between telnet over ssl and ssh. HOWEVER, ssh tries to solve other security problems than just transmission line encryption. 1. SSH tries to keep track of the identities of the servers you connect to. It keeps the public keys of the remote servers in a file (~/.ssh/known_hosts) so that the next time you try to connect to that server _AGAIN_ it has a way by which you can identify that the server you are connecting to is exactly the same server you connected to before. Why is this important? Because it is very easy to hijack an IP address these days (man-in-the-middle attacks). And if one does hijack the IP address of the remote server you connected to before and installs a trojaned SSH, which logs the passwords of those connecting to it, there will be a breach of passwords. Unknowingly you would be giving away the passwords for the server you think you are connecting to. Is this supported in telnetd + ssl ? No. Is this an important security feature? Yes. 2. SSH allows for public key encryption. This means that if you wanted to, you could disallow any authentication via passwords or pass phrases. Simply connecting to the remote host and exchanging keys is enough for authentication to proceed. Does telnetd + ssl allow this? No. Why is this important? Because through this feature you can configure servers to authenticate connections via various means as long as you have with you the correct key. You can store, for instance, your keys in a USB flash drive, and have a server log you on only if it can access your key in the flash drive. 3. Privilege separation. By default, SSH only uses the privileged user (in a chrooted environment) on situations when it is needed (such as upon the instantiation of a connection). When it is deemed that the super user status is no longer needed, the privilege level is dropped to that of the connecting user. This evades potential attacks which try to exploit problems in the authentication and encrytion code. It also ensures that the root id is only used on occasions when it is really necessary. Does telnet + ssl have this feature? No. Bottom line: Telnet + ssl does offer a better way of conducting a remote shell than plain telnet, that is true. But it is more of a kludge than a real solution. It comes up short in addressing other security related issues, and only really addresses the encryption of data in a connection. Therefore, my point is that since SSH is available anwyay for free, and installed by default in most Linux, and BSD distributions, people who require the services of a remote secure shell should use SSH over any other solution available. This is not a pissing contest. It's hopefully a discussion by which others on this list can appreciate and learn from the technical validity of my points, which unfortunately have been obfuscated by what seemed to be a flame war. -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
