[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSL telnet vs. SSH. Comparison?

> Would somebody please compare for me SSL telnet vs. SSH in terms of
> security, advantages, and disadvantages?
I'm not answering your question, but if people are looking for secure
telnet implementations, here's a list that I saved from a while back.
It's a bit obsolete (for example, I think ssh is on version 1.2.0 now)
but it will get people started.

I've been using ssh for a while, and it's the ultimate in convenience.
If you haven't tried it, give it a look.  (I make no claims about the
security; hopefully, someone on the list will take a look and do an
in-depth analysis. :)

Thanks to everyone who responded to my posting regarding a `secure
telnet' implementation:

    Is there a (possibly free) implementation of something like a
    "secure telnet"?  I'm looking for a way to login into a remote
    system providing secure interactive communication between the two
    hosts over (possibly insecure) Internet connections.

Here's a summary of the implementations I am now aware of:
* SSL 
There is a free implementation of Netscape's SSL Protocol (Secure
Socket Layer) by Eric Young named "SSLeay"
<ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/>.  Eric Young is also the
author of a popular DES Library.

SSL provides a secure authentication and encryption basis on top of
which application protocols like telnet, ftp, and http may be
transparently added <http://home.netscape.com/info/SSL.html>.
However, the RC4 encryption using a 40 bit key, which is employed by
SSL, has recently been cracked with a brute force attack, see
RISKS-17.27 <http://catless.ncl.ac.uk/Risks/17.27.html#subj1>.

A modified version of telnet that uses SSL-based authentication and
encryption is also available

* Deslogin

Deslogin by Dave Barrett <[email protected]> provides a
network login service much like rlogin/rlogind.  Deslogin uses a
`challenge-response' protocol to authenticate users.  Also, all data
transmitted to and from the remote host in encrypted using the DES.
Deslogin also includes a command-line program `cipher' for fast DES
encryption. <ftp://ftp.uu.net/pub/security/des/>

* SRA Telnet 

This is a version of the SRA Telnet modified by the Technical
University of Chemnitz.  A session key is negotiated using an
uncertified Diffie-Hellman-Method and used for the encryption of UID
and password.  The complete session text in encrypted with DES in CFB
mode. <ftp://ftp.tu-chemnitz.de/pub/Local/informatik/sec_tel_ftp>

* Ssh

Ssh (Secure Shell) is a program to log into another computer over a
network, to execute commands in a remote machine, and to move files
from one machine to another.  It provides strong authentication and
secure communications over insecure channels.  Among other features,
Ssh is a complete replacement for rlogin, rsh, and
rcp. <ftp://ftp.funet.fi/pub/unix/security/ssh-1.0.0.tar.gz>

* Skey

Bell Canada's `skey' free-ware implements a one-time password system,
so that sniffers can get your ID and PW, but can't use the PW next
time. <ftp://ftp.cert.dfn.de/pub/tools/password/SKey/>

I provide this information in the hope that it will be useful, but
with no claim of either completeness or correctness.  Thanks again to
all who contributed to compile the above information.

    Jochen Schwarze
    <[email protected]>

Mike Gebis  [email protected]