TELNET ( TELecommunication NETwork ) is a network protocol used on the Internet or local area network (LAN) connections. It was developed in late 60s with RFC 15. Telnet is pretty old for login into remote system and it has serious security problem. Most admins will recommend using Open SSH (secure shell) for all remote activities. But you may find users who are still demanding telnet over ssh as they are comfortable with Telnet. Some users got scripts written in 90s and they don’t want to change it. So what do you do when users demands telnet?
The problem with telnet
Telnet sends everything in clear text format including username and password. You can use tcpdump or snoop to see all information.
You can install Kerberos enabled telnetd. Discussion related to Kerberos and secure telnet is beyond the scope of this blog post but I do recommend Kerberos Infrastructure HOWTO for further information. Following packages under Debian will install secure telnet including Kerberos server:
# apt-get install krb5-telnetd krb5-clients
CentOS / RHEL / Red Hat / Fedora Linux user need to install package called krb5-workstation:
# yum install krb5-workstation
You need to configure Kerberos server and Kerberos enabled telnet / ftp. Please see the man pages for further information.
Bottom line: migrate users to ssh
I highly recommend migrating your users to SSH and discarding telnet, ftp and all r* services. First, you need to educate users about telnet and insecure protocols. Once user(s) made aware of the problem, help them to migrate to SSH:
- Disable telnet and force to use them ssh based tools
- Explain basic ssh syntax
- Explains password less login
- Explain how to use ssh in scripts
- Explain how to use sftp instead of ftp client
- Explain how to use scp instead of rcp client