Comment by themafia
9 days ago
> With SSH keypairs
Which is just an abstraction of a password. Instead of storing it in your mind and sending it over the network you store it on your harddrive and use to calculate things on the network. Haven't you just moved the security boundary slightly? You're now also mixing up authentication and encryption into one package which isn't strictly an upside. Granted you can secure your key with a password or a yubikey but now you're messing with agents or you're typing that password an incredible amount.
I see your point. The dead simplicity of telnet session over encrypted tunnel still appeals to me in the face of the structures above. It also means you can elide the whole "how do I do this complicated port forwarding with ssh" question entirely.
> we've just re-invented ssh under a different name.
ssh is the best implementation of self signed security you can get. With kerberos we actually get a central authority and it separates authentication and encryption rather nicely without requiring user agents running as daemons.
> Which is just an abstraction of a password.
I don't think that's functionally true. The important thing is that with telnet or password-auth ssh, you send the actual text of your password to the server. With ssh keys, the server and client do some magic crypto math to let you prove you control the private key without ever sending it. Therefore, a compromised server can steal a password, but not a ssh key.
(Yes, in theory perhaps you could do some fancier way of proving that you know a password without sending it, but 1. I'm no cryptographer, but the fact that openssh hasn't done this feels suggestive, and 2. that is once again a pretty big change for the nominal goal of keeping telnet)
> ssh is the best implementation of self signed security you can get. With kerberos we actually get a central authority and it separates authentication and encryption rather nicely without requiring user agents running as daemons.
Sure. Like, I've never thoroughly evaluated kerberos in depth (again, I'm no cryptographer), but I hear generally good things. My point is that by the time you have kerberos, you aren't really using what I would call telnet anymore, you're using something that acts like telnet but backs into a completely different authentication and communication system, and at that point you might as well use a completely different authentication and communication system without pretending to be telnet. This goes double because (open)ssh does support kerberos.