On Mon, 2004-11-08 at 15:59 +1100, Robert Collins wrote: > kerberos does not provide remote access, only AAA. > > kerberised telnet is still plaintext, so anything such as sudo being run > via it will allow password sniffing, which in combination with a session > hijack provide a gaping hole into the system that ssh doesn't.
This is not altogether correct, I did some research (and along with a lot of security notifications) and found: ------ Using Kerberos telnet To use the telnet program without having to type your password, you need to use it with the '-a' option. Otherwise you will be prompted for your password when you try to connection. Do not type your password. Any password you type will not be encrypted and will go over the network in the clear. If you use the '-a' option and it fails to log you in, this is normally becuase your Kerberos ticket has expired and you need to run kinit again. If this still fails please contact [EMAIL PROTECTED] and let us know about the problem. telnet also supports the '-x' option to encrypt your session and protect it's privacy. ------ If you SPECIFICALLY request it (and I assume telnetd that you have installed allows it) then you get full encryption. I am still unsure whether this is better encryption than ssh however. -- Ken Foskey -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
