Quote:
Originally Posted by
system.engineer
is there a way to secure telnet without disabling it ? i found some information online related to other OS, but not for AIX.
Unfortunately there is no way to do that and i would rather doubt that other systems could do it either.
"telnet" (and the same goes for "ftp") is not only a client program, but a protocol too. This protocol runs on top of an unencrypted TCP connection. When you use telnet to connect to another machine then first a so-called "virtual channel" (a layer-4-socket connection) is created to connect the two machines. Over this connection the telnet protocol data are pumped to and fro.
TCP is connection-oriented, but because TCP itself relies on IP (that is: TCP packets are transported using IP packets), which is connectionless, one can put his own network card in promiscuous mode (which simply means to read all oncoming packets, regardless of them being addressed to the own system or not) and copy the content of - ultimately - the telnet connection. *) And because the telnet protocol uses unencrypted passwords a possible attacker can isolate the password information from the protocols stream and use it himself. Therefore it doesn't matter what you send yourself over the telnet/ftp connection, once you do that the used account is - in principle - compromised.
ssh/sftp/scp and similar tools avoid this problem because they not only use an encrypted channel but they also encrypt the sent password information used to encrypt the data. This means: you can use the same techniques to completely copy the streams of data going back and forth, but it would only be gibberish as long as you do not possess the encrypting keys.
How secure-protocols work (in principle)
The key in this technique is to use different keys on both sides of the connection and add them. Let us call the partners "hostA" and "hostB" and their keys accordingly. Then the process is like that:
1) HostA uses its own key, encrypts its packet : keyA("keyA")->hostB
2) HostB takes it, encrypts it with its own key and sends it back: keyB(keyA("keyA"))->hostA
Now, because hostA knows its own key and the encryption is designed so that its commutative (
keyB(keyA(something)) = keyA(keyB(something))) hostA can "subtract" its own key and so get the key of hostB. Likewise on the other side. This way they exchange keys without a key ever being sent unencrypted.
I hope this helps.
bakunin
__________
*) Normally a network card would read all the addressing information in every packet. If a packet is addressed to it, it reads the rest of the packet, otherwise the packet is ignored. "Promiscuous mode" means to read all the packets, regardless of the address information. This is how network sniffer programs work and its not necessarily malicious. Network technicians use that all the time to diagnose connection problems.
01-07-2016
