On Thu, 2004-09-09 at 14:39 +0100, Dave Ewart wrote:How about, as a service to enable as you are updating SSH remotely from the other side of the country to fix the most recent problem security problem and need a backup system to get into the server in the event that something goes wrong?
Given that, in the above description, you're basically advocating that
your *only* use of Telnet would be to send the root password across the
'net to troubleshoot SSH :-)
Given that above description, there is no mention of anybody sending anything that even looks like a password over the net in plain text. Of course, most people would be, but not everyone. You are also presuming that the root account even requires logging in, which is also not nessercary.
What, are you advocating that we set our root accounts to not require a password to log in?
There is nothing wrong with plain text at all, in most circumstances.
It's just that *everyone* has presumed that passwords that are a) reused
for the next session and b) the root one, will be sent in plain text.
Of course, if you know you are sending in plain text, you take steps to make sure that nothing critical is transmitted in the first place, which, imho is a better situation than relying totally on the fact you are encrypted, which may or may not be true.
Attachment:
PGP.sig
Description: This is a digitally signed message part