Re: in.telnetd vulnerability??

From: Brian Hatch (
Date: 08/04/01

Date: Fri, 3 Aug 2001 21:32:23 -0700
From: Brian Hatch <>
To: Ryan Russell <>
Subject: Re: in.telnetd vulnerability??
Message-ID: <>

> I wonder how hard it would be to write a version of the SSH client named
> telnet that would try port 22 before failing to port 23, and do plain
> telnet when used on other ports (telnet 110). Claim it
> is the new telnet client patch. It would allow for some cleartext
> downgrade attacks, but that would at least require active monitoring and
> spoofing. If it were called by the name "ssh", very soft links, it would
> behave normally.

I did this with a simple perl script which would hit port 22
and, if available, exec ssh, else exec telnet.

But it wasn't nearly so helpful as setting up host-based
authentication between unix boxen. Once folks found out
that they could say 'ssh host' vs 'telnet host' and save
3 characters on the command line and type no password,
they were hooked. And it wasn't any less secure than all
those cleartext passwords, really.

Of course rlogin/rsh should always be linked to ssh
instead to allow it by default.

Brian Hatch                "Zathras understand.
   Systems and              No, Zathras not understand,
   Security Engineer        but Zathras do."

Every message PGP signed