Comment by yjftsjthsd-h

> Which is just an abstraction of a password.

I don't think that's functionally true. The important thing is that with telnet or password-auth ssh, you send the actual text of your password to the server. With ssh keys, the server and client do some magic crypto math to let you prove you control the private key without ever sending it. Therefore, a compromised server can steal a password, but not a ssh key.

(Yes, in theory perhaps you could do some fancier way of proving that you know a password without sending it, but 1. I'm no cryptographer, but the fact that openssh hasn't done this feels suggestive, and 2. that is once again a pretty big change for the nominal goal of keeping telnet)

> ssh is the best implementation of self signed security you can get. With kerberos we actually get a central authority and it separates authentication and encryption rather nicely without requiring user agents running as daemons.

Sure. Like, I've never thoroughly evaluated kerberos in depth (again, I'm no cryptographer), but I hear generally good things. My point is that by the time you have kerberos, you aren't really using what I would call telnet anymore, you're using something that acts like telnet but backs into a completely different authentication and communication system, and at that point you might as well use a completely different authentication and communication system without pretending to be telnet. This goes double because (open)ssh does support kerberos.