Can we secure telnet on AIX

UNIX AIX
1

Hi,

I understand that, we can use SSH/SSL for encrypted/secure sessions. my question is " can we secure telnet on AIX " ?

usually, we disable network services like ftp, telnet etc.
and replace it with SFTP, SSH.

is there a way to secure telnet without disabling it ? i found some information online related to other OS, but not for AIX.

Thank you.

2

I'm a little unclear on what you mean by to "secure telnet". Here are a few thoughts:-

  • You want to prevent people using telnet at all to get to your server
    [list]
  • disable it
    [/list]
  • You want to hide it away a little so only a few people know how to open the connection
    [list]
  • change the port, but that relies on secrecy rather than truly securing it
    [/list]
  • You want to restrict the source IP address that can open telnet
    [list]
  • firewall rules and/or IP tables
    [/list]
  • You want to prevent people using the telnet client to get out from your server
    [list]
  • rename the executable
    [/list]
  • You want to encrypt the traffic to prevent network snooping
    [list]
  • use ssh
    [/list]
  • You want to strengthen the login process
    [list]
  • adjust security settings, but that's a big topic
    [/list]

I realise that none of these are probably quite what you want, but I am struggling to work out your requirement. Can you elaborate a little?

Thanks, in advance,
Robin

1 Like
3

Unfortunately there is no way to do that and i would rather doubt that other systems could do it either.

"telnet" (and the same goes for "ftp") is not only a client program, but a protocol too. This protocol runs on top of an unencrypted TCP connection. When you use telnet to connect to another machine then first a so-called "virtual channel" (a layer-4-socket connection) is created to connect the two machines. Over this connection the telnet protocol data are pumped to and fro.

TCP is connection-oriented, but because TCP itself relies on IP (that is: TCP packets are transported using IP packets), which is connectionless, one can put his own network card in promiscuous mode (which simply means to read all oncoming packets, regardless of them being addressed to the own system or not) and copy the content of - ultimately - the telnet connection. *) And because the telnet protocol uses unencrypted passwords a possible attacker can isolate the password information from the protocols stream and use it himself. Therefore it doesn't matter what you send yourself over the telnet/ftp connection, once you do that the used account is - in principle - compromised.

ssh/sftp/scp and similar tools avoid this problem because they not only use an encrypted channel but they also encrypt the sent password information used to encrypt the data. This means: you can use the same techniques to completely copy the streams of data going back and forth, but it would only be gibberish as long as you do not possess the encrypting keys.

How secure-protocols work (in principle)
The key in this technique is to use different keys on both sides of the connection and add them. Let us call the partners "hostA" and "hostB" and their keys accordingly. Then the process is like that:

1) HostA uses its own key, encrypts its packet : keyA("keyA")->hostB
2) HostB takes it, encrypts it with its own key and sends it back: keyB(keyA("keyA"))->hostA

Now, because hostA knows its own key and the encryption is designed so that its commutative ( keyB(keyA(something)) = keyA(keyB(something)) ) hostA can "subtract" its own key and so get the key of hostB. Likewise on the other side. This way they exchange keys without a key ever being sent unencrypted.

I hope this helps.

bakunin

__________
*) Normally a network card would read all the addressing information in every packet. If a packet is addressed to it, it reads the rest of the packet, otherwise the packet is ignored. "Promiscuous mode" means to read all the packets, regardless of the address information. This is how network sniffer programs work and its not necessarily malicious. Network technicians use that all the time to diagnose connection problems.

1 Like
4

Thanks for the reply and help Robin and i like the way you've analyzed my question, which gave me good understanding. sorry, i should have give more details.

My question was
How can we make "telnet sessions" secure ? or would like to have secure telnet sessions like SSH. (encrypted/secure)

Thanks for the reply and your help Bakunin and please see the below links related to other OS. yeah, as you mentioned we usually use SCP,SFTP and SSH for regular day-to-day work.
but would like to know about securing telnet sessions using SSL or any other security mechanism.

I found something on google, not able to post URLs here. could you please google "Configuration details for securing Telnet with SSL" & "Telnet server and Secure Sockets Layer (SSL)".

Please see the very first IBM links for each search.

appreciate your time.