I posted a question in the other UNIX section here about how to enable remote root login for telnet. (It was for FreeBSD, which by default does not allow that.) As I expected, the replies I got indicated the use of telnet was a security risk and should be avoided. I totally agree with that. I've tried it before, to no avail, but I'd be willing to try again to convince my boss to disable telnet on our UNIX machines and force the Windows users that need access to them to use ssh (e.g. putty) instead.

I need your help building an argument for this purpose. The main point I'm going to emphasize is that telnet passes authentication information in plain text so a simple network sniffing can steal our sensitive personal information easily. It is even worse if the remote root login via telnet is allowed - we're basically opening the backdoor of our housek, inviting anyone to come in freely.

To that, the IT will probably come back saying it should not be a big deal because we're behind a corporate firewall. I would say that's BS because (1) no firewall is perfect, and (2) we allow outside connections via VPN, which means if one regular user gets his login information stolen, then it won't be hard for the cracker to connect to our corporate network from the outside world and do the sniffing to catch the root account information. That's too big of a chance to take IMO.

Do you guys have any other points that would help strengthen my argument against the use of telnet? If you do, I'd much appreciate your sharing it with me. Also, if I'm wrong on anything that I've written above, I'd appreciate your corrections.

TIA!
Dai

i think Gartner hold claim to all IT related stats whether they made them or not, but as a statistic, the 80 / 20 rule is fun...

http://www.ebizq.net/blogs/news_secu...f_security.php

as far as plaintext and all, it's something i see vast amounts of on a daily basis, but then we also have plaintext credit card numbers flying around our LAN, and hosted WAN come to that... so with the ability to get 30,000 credit card numbers in a single days sniffing, passwords would come a long way down the list!

What you want to do is totally honourable, but within the "real world" view people love to take, it's not likely. and no, it's not likely that it will ever be exploited, so you're left having to play on the "what if" factor, cos you can bet if it ever did get exploited, the network and server admins feet wouldn't touch the ground, yours included. tough call for sure. something i'm certainly trying to enforce. conveniently for me though, i firewall about just everything in sight with a network topology designed with that in mind, and anything involving port 23 just gets rejected...

Thanks for your opinion, Chris.

My boss somewhat proved your point. He replied to my short mail that told him I *might* give him an "offcial suggestion" to streamline our remote connection software to ssh (i.e. get rid of telnet). He basically says it's not going to happen.

Oh well.

How are the UNIX users going to connect to the Windows boxes though? It'd have to be telnet or a Terminal Server client, and the latter means mandatory Xorg, something many UNIX admins like to avoid, if possible, especially on servers.

In a mixed environment there's still some need for telnet. [begin rant] I'd say complain to Bill Gates about it but Microsoft has moved way past the "respond to customer's needs" phase of the corporate lifecycle. They're now in the "government approved monopoly" phase. So they don't need our money or opinions anymore. The bankers have everything they need and the Fed will print more if they run out. Even if no one ever bought another copy of Windows they'd keep growing through mergers and acquisitions (buying up other companies.) Why waste your breath then? It'd just be a lesson in futility... [end rant]

Hi Crito.

Almost all our engineers use Windows. Only two of us, including myself, use Linux on our desktop computers. Our UNIX machines are kept in the server room. The engineers access them via telnet/ssh in order to build/debug/test the *NIX versions of our products.

We do have centralized Windows boxes for testing, too. The Windows users access them via Remote Desktop. When us Linux guys need access to them, we'll use rdesktop.

what's wrong with just runnign ssh under windows? hardly taxing...

I'm seeing unsecure services being phased out from many companies networks for at least two reasons: vulnerabilities and SOX (or similar) compliance auditing.

Maybe the latter reason will help convincing your boss to change his mind as Telnet and FTP are obviously in violation of these regulations.

At this point, I'd suggest you drop it. It's frustrating, I know, but that's the way the telnet crumbles.

We once put up a simple GUI based encrypted method to allow one of our customers to transfer their nightly data. They rejected the encryption part of it and we had to remove it. Go figure!

I agree. I'm getting really frustrated over this already. To me, it's a no-brainer. I just don't undetstand why my boss is so adamant about keeping telnet alive, except if he simply wants to keep using his telnet software on Windows.

I'll try not to lose too much sleep over it.

So you must be working in a private company, as SOX seems irrelevant to it.

Yes, I am. I looked up SOX on the Web. I don't think it is relevant to us. I still appreciate your reply.