On Nov 24, 2014, at 6:04 PM, Jonathan Billings billings@negate.org wrote:
On Nov 24, 2014, at 3:46 PM, Warren Young wyml@etr-usa.com wrote:
Now compare telnet: always vulnerable, all the time, since the day it was created, before most of the people on this list were born:
Technically, you can run kerberized (krb5) telnet/telnetd, and it's not quite as insecure as unkerberized telnet.
That only protects the authentication stage. You have to add RFC 2946 encryption or TLS to encrypt the rest of the conversation, something you get for free with SSH. Then having done that, you get to seek out the rare clients that can speak these protocol extensions, whereas all SSH clients do what you want as a matter of course.
It doesn’t look like CentOS 7’s in.telnetd supports this anyway. I base that on two bits of evidence:
1. The man page: " -a authmode ...not available in the current version.”
2. ldd /usr/sbin/in.telnetd doesn’t show that it’s linked to libgssapi.