Re: Moving telnet/telnetd from base to pkgsrc

To: Taylor R Campbell <campbell+netbsd-tech-userlevel%mumble.net@localhost>, Edgar Fuß <ef%math.uni-bonn.de@localhost>
Subject: Re: Moving telnet/telnetd from base to pkgsrc
From: John Nemeth <jnemeth%cue.bc.ca@localhost>
Date: Fri, 14 Dec 2018 21:28:34 -0800

On Dec 14,  1:21pm, Taylor R Campbell wrote:
} > Date: Fri, 14 Dec 2018 09:46:08 +0100
} > From: Edgar Fuß <ef%math.uni-bonn.de@localhost>
} > 
} > > Y'all seem to think it's totally reasonable to telnet in the open internet
} > What's the problem with "telnet www.uni-bonn.de http"?
} 
} If the telnet client is remotely exploitable then that exposes you to
} exploitation by www.uni-bonn.de and by anyone on the internet between
} you and www.uni-bonn.de.  The attack surface is unmaintained network
} code from the '80s.
} 
} > Date: Fri, 14 Dec 2018 02:13:40 -0800
} > From: John Nemeth <jnemeth%cue.bc.ca@localhost>
} > 
} >      This statement is total nonsense.  It works just fine.  And,
} > it's not like there is a crap-ton of CVEs against it.  In fact,
} > there have been almost none, which is pretty impressive considering
} > how old the code is.
} 
} This reflects how little attention telnet has gotten, not how much
} scrutiny it has withstood.

     That is certainly one interpretation.  But, I'm going to
disagree.  As kre noted, it is probably the oldest network application
around.  According to Wikipedia, the protocol was developed in
1969, predating TCP/IP, which means that it is probably the oldest
TCP/IP application there is.  It continued to be used long after
SSH became common.  In fact, the last major issue that comes to my
mind, which was in telnetd, was found long after SSH became common.
I'm quite sure that it has received a lot of scrutiny over the
years.

} If it is used only on a carefully isolated network for something like
} a serial management console, that's not really worse than the security
} of a lot of management console tooling, but it's not clear to me that
} it needs to be in base any more than ipmitool or amtterm.  We should

     I actually wouldn't mind seeing ipmitool in base.  Of course,
it would be better if our kernel driver was capable of doing more
then just reading a handful of sensors, like actually being able
to do things like configure the IPMI network settings.  ipmitool
is very useful for people running real servers.  The biggest
limitation is our sucky ipmi(4).

} at least have warnings on it until someone takes up maintenance not to
} use it on the open internet.

     This is like putting a warning on a gun that says, "don't
point at self".  This might be considered sensible in the highly
litigious US, but for most of the world, this is a ridiculous
notion.  BTW, even if "someone takes up maintenance" it would still
be an unencrypted protocol, so it still wouldn't be usable in a
security sensitive setting.

     Furthermore, why make life more difficult for us crusty old
people for no particularly good reason?  I've been using telnet to
manually do SMTP since the late 80s.  Yes, I could learn nc, but
I prefer to spend my time on more important tasks that then replacing
things that work perfectly well.

}-- End of excerpt from Taylor R Campbell

Follow-Ups:
- Re: Moving telnet/telnetd from base to pkgsrc
  - From: Robert Elz

References:
- Re: Moving telnet/telnetd from base to pkgsrc
  - From: Taylor R Campbell

Prev by Date: Re: Moving telnet/telnetd from base to pkgsrc
Next by Date: Re: Moving telnet/telnetd from base to pkgsrc
Previous by Thread: Re: Moving telnet/telnetd from base to pkgsrc
Next by Thread: Re: Moving telnet/telnetd from base to pkgsrc
Indexes:

Home | Main Index | Thread Index | Old Index