Aaron Walker wrote:
> What are the main differences between telnet, rlogin, and ssh? Also,
> where can I find server/client software for ssh?
>
Telnet:
the original way to get into a machine -- a virtual session, if you will
You can make it sorta secure by doing something like S/Keys on the remote
end. the session is totally unencrypted. If I am in an office with
ethernet, and I have my trusty linux laptop, I can sniff the password
right out of the ethernet. it's a trivial matter. I think the original
RFC describing telnet had 'Security is not addressed in this RFC' in the
security section.
It should be shunned/avoided/canned/trashed if ssh can be used.
rlogin:
Some offices love it. Personally, it scares the hell out of me.
I hang my head in fear for those offices who insist on using rlogin.
Alls a hacker fellow has to do is put in '++' in your ~/.rhosts file
(Admittedly a non-trivial manner, but your mh/elm/pine/whatever security
vulnerability of the day can do this for you),
and any ol hacker boy can log into your account unchallenged, without
password.
Another annoying security matter of rlogin is those pesky '.rhosts'
files, which allow specific users from specific hosts logins without
passwords. All sorts of vulnerabilities are prevented.
Say host X and host Y are on the same Ethernet lan. Say I have my trusty
rusty Linux Notebook computer. Say host Y allows root unchallenged
logins allowed from user larry on machine X. (A *very* bad security
practice, but sadly this is quite common).
Say that machine Y even has TCP wrappers installed and activated to only
allow rlogins from machine X.
Now:
Say I unplug ethernet cable from machine X.
Say I configure my laptop to have IP address that machine X had.
Say I set up user account 'larry' on my linux laptop (I'm root on my
laptop. I can do that)
Say I 'rlogin Y -l root'
I'm in as root. Game Over.
Don't use rlogin/rsh/rexec Avoid them. Shun them. Burn them. Delete
them. Don't let propeller-head NT users log in with that crummy Exceed
product (which uses rsh).
SSH can be configured to use asymmetric encryption to authenticate the
user coming in. So Say I did all of those mean and nasty things to
machine X, trying to get into Machine Y running ssh instead of rlogin.
The ssh daemon on Machine Y will have a unique host key for every machine
who logs in.
Machine Y will say "Okay, so you say you're machine X. Do this little
mathematical equation so I know you're really larry from Machine X"
And you're denied.
SSH is Soooooooo much better than the rlogin/telnet alternatives.
Get it.
Don't get hacked for something stupid like a sniffed password.
There are mean and opportunistic people out there. Protect yourself.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
