Mixing
Is telnet secure through SSH tunneling
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
22
down vote
favorite
Firstly sorry, maybe dumb question, but I have one service running on my server which can be operated only by telnet (port 23), but I know that telnet is insecure, so I blocked port 23 in iptables except loopback interface (to be not accessible from internet, but only from localhost).
So my idea is that I connect to the server using SSH and then in SSH session I will connect to telnet localhost 23, so I wonder if it is safe or if it can be sniffed.
ssh sniffing tunneling telnet
asked Sep 6 at 19:38
tomsk
22028
 |Â
show 1 more comment
up vote
22
down vote
favorite
Firstly sorry, maybe dumb question, but I have one service running on my server which can be operated only by telnet (port 23), but I know that telnet is insecure, so I blocked port 23 in iptables except loopback interface (to be not accessible from internet, but only from localhost).
So my idea is that I connect to the server using SSH and then in SSH session I will connect to telnet localhost 23, so I wonder if it is safe or if it can be sniffed.
ssh sniffing tunneling telnet
asked Sep 6 at 19:38
tomsk
22028
6
If the telnet traffic is protected by SSH, then it is as safe as SSH.
– ztk
Sep 6 at 19:46
5
Just pointing out that if you're runningtelnetlocally on the machine, that you're not really using SSH tunneling. SSH tunneling is where you send the TCP data through the tunnel. See here.
– Jonathon Reinhart
Sep 6 at 22:58
1
@JonathonReinhart Thanks and what is benefit of "true ssh tunneling"? It means that telnet in loopback is encrypted too? So telnet communication cannot be sniffed even on server by others users?
– tomsk
Sep 6 at 23:05
6
FYI, instead of logging in and then usingtelnet localhost 23, you could set up SSH port forwarding to do it automatically.
– Barmar
Sep 7 at 1:05
2
i.e.local> ssh remotethenremote> telnet localhost 23isn't really "tunneling", vs.local> ssh -L 2323:localhost:23 remotethenlocal> telnet localhost 2323. The first is simpler/less to go wrong, but if you have some other program installed locally that wants to connect via telnet, you could use the latter.
– Nick T
Sep 8 at 17:21
 |Â
show 1 more comment
up vote
22
down vote
favorite
up vote
22
down vote
favorite
Firstly sorry, maybe dumb question, but I have one service running on my server which can be operated only by telnet (port 23), but I know that telnet is insecure, so I blocked port 23 in iptables except loopback interface (to be not accessible from internet, but only from localhost).
So my idea is that I connect to the server using SSH and then in SSH session I will connect to telnet localhost 23, so I wonder if it is safe or if it can be sniffed.
ssh sniffing tunneling telnet
asked Sep 6 at 19:38
tomsk
22028
Firstly sorry, maybe dumb question, but I have one service running on my server which can be operated only by telnet (port 23), but I know that telnet is insecure, so I blocked port 23 in iptables except loopback interface (to be not accessible from internet, but only from localhost).
So my idea is that I connect to the server using SSH and then in SSH session I will connect to telnet localhost 23, so I wonder if it is safe or if it can be sniffed.
ssh sniffing tunneling telnet
asked Sep 6 at 19:38
tomsk
22028
asked Sep 6 at 19:38
tomsk
22028
asked Sep 6 at 19:38
tomsk
22028
asked Sep 6 at 19:38
tomsk
22028
22028
6
If the telnet traffic is protected by SSH, then it is as safe as SSH.
– ztk
Sep 6 at 19:46
5
Just pointing out that if you're runningtelnetlocally on the machine, that you're not really using SSH tunneling. SSH tunneling is where you send the TCP data through the tunnel. See here.
– Jonathon Reinhart
Sep 6 at 22:58
1
@JonathonReinhart Thanks and what is benefit of "true ssh tunneling"? It means that telnet in loopback is encrypted too? So telnet communication cannot be sniffed even on server by others users?
– tomsk
Sep 6 at 23:05
6
FYI, instead of logging in and then usingtelnet localhost 23, you could set up SSH port forwarding to do it automatically.
– Barmar
Sep 7 at 1:05
2
i.e.local> ssh remotethenremote> telnet localhost 23isn't really "tunneling", vs.local> ssh -L 2323:localhost:23 remotethenlocal> telnet localhost 2323. The first is simpler/less to go wrong, but if you have some other program installed locally that wants to connect via telnet, you could use the latter.
– Nick T
Sep 8 at 17:21
 |Â
show 1 more comment
6
If the telnet traffic is protected by SSH, then it is as safe as SSH.
– ztk
Sep 6 at 19:46
5
Just pointing out that if you're runningtelnetlocally on the machine, that you're not really using SSH tunneling. SSH tunneling is where you send the TCP data through the tunnel. See here.
– Jonathon Reinhart
Sep 6 at 22:58
1
@JonathonReinhart Thanks and what is benefit of "true ssh tunneling"? It means that telnet in loopback is encrypted too? So telnet communication cannot be sniffed even on server by others users?
– tomsk
Sep 6 at 23:05
6
FYI, instead of logging in and then usingtelnet localhost 23, you could set up SSH port forwarding to do it automatically.
– Barmar
Sep 7 at 1:05
2
i.e.local> ssh remotethenremote> telnet localhost 23isn't really "tunneling", vs.local> ssh -L 2323:localhost:23 remotethenlocal> telnet localhost 2323. The first is simpler/less to go wrong, but if you have some other program installed locally that wants to connect via telnet, you could use the latter.
– Nick T
Sep 8 at 17:21
6
6
If the telnet traffic is protected by SSH, then it is as safe as SSH.
– ztk
Sep 6 at 19:46
If the telnet traffic is protected by SSH, then it is as safe as SSH.
– ztk
Sep 6 at 19:46
5
5
Just pointing out that if you're running
telnet locally on the machine, that you're not really using SSH tunneling. SSH tunneling is where you send the TCP data through the tunnel. See here.– Jonathon Reinhart
Sep 6 at 22:58
Just pointing out that if you're running
telnet locally on the machine, that you're not really using SSH tunneling. SSH tunneling is where you send the TCP data through the tunnel. See here.– Jonathon Reinhart
Sep 6 at 22:58
1
1
@JonathonReinhart Thanks and what is benefit of "true ssh tunneling"? It means that telnet in loopback is encrypted too? So telnet communication cannot be sniffed even on server by others users?
– tomsk
Sep 6 at 23:05
@JonathonReinhart Thanks and what is benefit of "true ssh tunneling"? It means that telnet in loopback is encrypted too? So telnet communication cannot be sniffed even on server by others users?
– tomsk
Sep 6 at 23:05
6
6
FYI, instead of logging in and then using
telnet localhost 23, you could set up SSH port forwarding to do it automatically.– Barmar
Sep 7 at 1:05
FYI, instead of logging in and then using
telnet localhost 23, you could set up SSH port forwarding to do it automatically.– Barmar
Sep 7 at 1:05
2
2
i.e.
local> ssh remote then remote> telnet localhost 23 isn't really "tunneling", vs. local> ssh -L 2323:localhost:23 remote then local> telnet localhost 2323. The first is simpler/less to go wrong, but if you have some other program installed locally that wants to connect via telnet, you could use the latter.– Nick T
Sep 8 at 17:21
i.e.
local> ssh remote then remote> telnet localhost 23 isn't really "tunneling", vs. local> ssh -L 2323:localhost:23 remote then local> telnet localhost 2323. The first is simpler/less to go wrong, but if you have some other program installed locally that wants to connect via telnet, you could use the latter.– Nick T
Sep 8 at 17:21
 |Â
show 1 more comment
2 Answers
2
active
oldest
votes
up vote
23
down vote
accepted
The traffic cannot be sniffed. It is not ideal - you're adding extra steps to arrive at a secure connection, so performance will suffer - but it is safe from sniffing at least at the network level. Obviously, if the server is compromised, the traffic can be sniffed, but you will have other problems by then.
Since someone told me to add this here is an edit:
It is not ideal because you have to utilize two additional steps to initiate a connection and secure it. One is prohibit every incoming connection to the telnet service and second is to work around that prohibition. That simply leaves more space for errors than simply using SSH in the first place. That's not ideal but sometimes the best of valid options.
answered Sep 6 at 19:45
Ben
1,322114
9
When you say "Nope it can't." can you make it more clear which question you're answering exactly? This is particularly confusing because the title is "Is telnet secure through SSH tunneling" -- I had to re-read the question to then find that you're probably responding to "or if it can be sniffed."
– Jonathon Reinhart
Sep 6 at 22:56
@JonathonReinhart On StackExchange sites, you are able to edit questions and answers. So you can go ahead and edit it to improve it.
– Craig McQueen
Sep 7 at 0:29
1
Why is it not ideal?
– Lightness Races in Orbit
Sep 7 at 9:41
5
It is not ideal because you have to utilize two additional steps to initiate a connection and secure it. One is prohibit every incoming connection to the telnet service and second is to work around that prohibition. That simply leaves more space for errors than simply using SSH in the first place. That's not ideal but sometimes the best of valid options.
– Ben
Sep 7 at 10:17
I don't see performance suffering any worse than a typical VPN connection, and the SSH connection can be automated if you're using keys to connect, which you should be doing anyway.
– Craig
yesterday
add a comment |Â
up vote
40
down vote
Yes. Controlling a Telnet client through an SSH tunnel is, in practice, as safe from eavesdropping as using any other program (e.g. a Bash shell) through the tunnel.
Telnet is called an insecure protocol because Telnet traffic is plain text which can be read and modified by anyone on the route between client and server (a man-in-the-middle attack). But if you're exchanging packets with localhost, there is no actual network traffic leaving the machine that could be sniffed or intercepted. Both Telnet client and server are on the same host, and the fact that you're using SSH to connect to that host doesn't put that local connection at risk.
answered Sep 6 at 19:51
Arminius
36.3k12112112
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
23
down vote
accepted
The traffic cannot be sniffed. It is not ideal - you're adding extra steps to arrive at a secure connection, so performance will suffer - but it is safe from sniffing at least at the network level. Obviously, if the server is compromised, the traffic can be sniffed, but you will have other problems by then.
Since someone told me to add this here is an edit:
It is not ideal because you have to utilize two additional steps to initiate a connection and secure it. One is prohibit every incoming connection to the telnet service and second is to work around that prohibition. That simply leaves more space for errors than simply using SSH in the first place. That's not ideal but sometimes the best of valid options.
answered Sep 6 at 19:45
Ben
1,322114
9
When you say "Nope it can't." can you make it more clear which question you're answering exactly? This is particularly confusing because the title is "Is telnet secure through SSH tunneling" -- I had to re-read the question to then find that you're probably responding to "or if it can be sniffed."
– Jonathon Reinhart
Sep 6 at 22:56
@JonathonReinhart On StackExchange sites, you are able to edit questions and answers. So you can go ahead and edit it to improve it.
– Craig McQueen
Sep 7 at 0:29
1
Why is it not ideal?
– Lightness Races in Orbit
Sep 7 at 9:41
5
It is not ideal because you have to utilize two additional steps to initiate a connection and secure it. One is prohibit every incoming connection to the telnet service and second is to work around that prohibition. That simply leaves more space for errors than simply using SSH in the first place. That's not ideal but sometimes the best of valid options.
– Ben
Sep 7 at 10:17
I don't see performance suffering any worse than a typical VPN connection, and the SSH connection can be automated if you're using keys to connect, which you should be doing anyway.
– Craig
yesterday
add a comment |Â
up vote
23
down vote
accepted
The traffic cannot be sniffed. It is not ideal - you're adding extra steps to arrive at a secure connection, so performance will suffer - but it is safe from sniffing at least at the network level. Obviously, if the server is compromised, the traffic can be sniffed, but you will have other problems by then.
Since someone told me to add this here is an edit:
It is not ideal because you have to utilize two additional steps to initiate a connection and secure it. One is prohibit every incoming connection to the telnet service and second is to work around that prohibition. That simply leaves more space for errors than simply using SSH in the first place. That's not ideal but sometimes the best of valid options.
answered Sep 6 at 19:45
Ben
1,322114
9
When you say "Nope it can't." can you make it more clear which question you're answering exactly? This is particularly confusing because the title is "Is telnet secure through SSH tunneling" -- I had to re-read the question to then find that you're probably responding to "or if it can be sniffed."
– Jonathon Reinhart
Sep 6 at 22:56
@JonathonReinhart On StackExchange sites, you are able to edit questions and answers. So you can go ahead and edit it to improve it.
– Craig McQueen
Sep 7 at 0:29
1
Why is it not ideal?
– Lightness Races in Orbit
Sep 7 at 9:41
5
It is not ideal because you have to utilize two additional steps to initiate a connection and secure it. One is prohibit every incoming connection to the telnet service and second is to work around that prohibition. That simply leaves more space for errors than simply using SSH in the first place. That's not ideal but sometimes the best of valid options.
– Ben
Sep 7 at 10:17
I don't see performance suffering any worse than a typical VPN connection, and the SSH connection can be automated if you're using keys to connect, which you should be doing anyway.
– Craig
yesterday
add a comment |Â
up vote
23
down vote
accepted
up vote
23
down vote
accepted
The traffic cannot be sniffed. It is not ideal - you're adding extra steps to arrive at a secure connection, so performance will suffer - but it is safe from sniffing at least at the network level. Obviously, if the server is compromised, the traffic can be sniffed, but you will have other problems by then.
Since someone told me to add this here is an edit:
It is not ideal because you have to utilize two additional steps to initiate a connection and secure it. One is prohibit every incoming connection to the telnet service and second is to work around that prohibition. That simply leaves more space for errors than simply using SSH in the first place. That's not ideal but sometimes the best of valid options.
answered Sep 6 at 19:45
Ben
1,322114
The traffic cannot be sniffed. It is not ideal - you're adding extra steps to arrive at a secure connection, so performance will suffer - but it is safe from sniffing at least at the network level. Obviously, if the server is compromised, the traffic can be sniffed, but you will have other problems by then.
Since someone told me to add this here is an edit:
It is not ideal because you have to utilize two additional steps to initiate a connection and secure it. One is prohibit every incoming connection to the telnet service and second is to work around that prohibition. That simply leaves more space for errors than simply using SSH in the first place. That's not ideal but sometimes the best of valid options.
answered Sep 6 at 19:45
Ben
1,322114
edited 2 days ago
answered Sep 6 at 19:45
Ben
1,322114
answered Sep 6 at 19:45
Ben
1,322114
answered Sep 6 at 19:45
Ben
1,322114
1,322114
9
When you say "Nope it can't." can you make it more clear which question you're answering exactly? This is particularly confusing because the title is "Is telnet secure through SSH tunneling" -- I had to re-read the question to then find that you're probably responding to "or if it can be sniffed."
– Jonathon Reinhart
Sep 6 at 22:56
@JonathonReinhart On StackExchange sites, you are able to edit questions and answers. So you can go ahead and edit it to improve it.
– Craig McQueen
Sep 7 at 0:29
1
Why is it not ideal?
– Lightness Races in Orbit
Sep 7 at 9:41
5
It is not ideal because you have to utilize two additional steps to initiate a connection and secure it. One is prohibit every incoming connection to the telnet service and second is to work around that prohibition. That simply leaves more space for errors than simply using SSH in the first place. That's not ideal but sometimes the best of valid options.
– Ben
Sep 7 at 10:17
I don't see performance suffering any worse than a typical VPN connection, and the SSH connection can be automated if you're using keys to connect, which you should be doing anyway.
– Craig
yesterday
add a comment |Â
9
When you say "Nope it can't." can you make it more clear which question you're answering exactly? This is particularly confusing because the title is "Is telnet secure through SSH tunneling" -- I had to re-read the question to then find that you're probably responding to "or if it can be sniffed."
– Jonathon Reinhart
Sep 6 at 22:56
@JonathonReinhart On StackExchange sites, you are able to edit questions and answers. So you can go ahead and edit it to improve it.
– Craig McQueen
Sep 7 at 0:29
1
Why is it not ideal?
– Lightness Races in Orbit
Sep 7 at 9:41
5
It is not ideal because you have to utilize two additional steps to initiate a connection and secure it. One is prohibit every incoming connection to the telnet service and second is to work around that prohibition. That simply leaves more space for errors than simply using SSH in the first place. That's not ideal but sometimes the best of valid options.
– Ben
Sep 7 at 10:17
I don't see performance suffering any worse than a typical VPN connection, and the SSH connection can be automated if you're using keys to connect, which you should be doing anyway.
– Craig
yesterday
9
9
When you say "Nope it can't." can you make it more clear which question you're answering exactly? This is particularly confusing because the title is "Is telnet secure through SSH tunneling" -- I had to re-read the question to then find that you're probably responding to "or if it can be sniffed."
– Jonathon Reinhart
Sep 6 at 22:56
When you say "Nope it can't." can you make it more clear which question you're answering exactly? This is particularly confusing because the title is "Is telnet secure through SSH tunneling" -- I had to re-read the question to then find that you're probably responding to "or if it can be sniffed."
– Jonathon Reinhart
Sep 6 at 22:56
@JonathonReinhart On StackExchange sites, you are able to edit questions and answers. So you can go ahead and edit it to improve it.
– Craig McQueen
Sep 7 at 0:29
@JonathonReinhart On StackExchange sites, you are able to edit questions and answers. So you can go ahead and edit it to improve it.
– Craig McQueen
Sep 7 at 0:29
1
1
Why is it not ideal?
– Lightness Races in Orbit
Sep 7 at 9:41
Why is it not ideal?
– Lightness Races in Orbit
Sep 7 at 9:41
5
5
It is not ideal because you have to utilize two additional steps to initiate a connection and secure it. One is prohibit every incoming connection to the telnet service and second is to work around that prohibition. That simply leaves more space for errors than simply using SSH in the first place. That's not ideal but sometimes the best of valid options.
– Ben
Sep 7 at 10:17
It is not ideal because you have to utilize two additional steps to initiate a connection and secure it. One is prohibit every incoming connection to the telnet service and second is to work around that prohibition. That simply leaves more space for errors than simply using SSH in the first place. That's not ideal but sometimes the best of valid options.
– Ben
Sep 7 at 10:17
I don't see performance suffering any worse than a typical VPN connection, and the SSH connection can be automated if you're using keys to connect, which you should be doing anyway.
– Craig
yesterday
I don't see performance suffering any worse than a typical VPN connection, and the SSH connection can be automated if you're using keys to connect, which you should be doing anyway.
– Craig
yesterday
add a comment |Â
up vote
40
down vote
Yes. Controlling a Telnet client through an SSH tunnel is, in practice, as safe from eavesdropping as using any other program (e.g. a Bash shell) through the tunnel.
Telnet is called an insecure protocol because Telnet traffic is plain text which can be read and modified by anyone on the route between client and server (a man-in-the-middle attack). But if you're exchanging packets with localhost, there is no actual network traffic leaving the machine that could be sniffed or intercepted. Both Telnet client and server are on the same host, and the fact that you're using SSH to connect to that host doesn't put that local connection at risk.
answered Sep 6 at 19:51
Arminius
36.3k12112112
add a comment |Â
up vote
40
down vote
Yes. Controlling a Telnet client through an SSH tunnel is, in practice, as safe from eavesdropping as using any other program (e.g. a Bash shell) through the tunnel.
Telnet is called an insecure protocol because Telnet traffic is plain text which can be read and modified by anyone on the route between client and server (a man-in-the-middle attack). But if you're exchanging packets with localhost, there is no actual network traffic leaving the machine that could be sniffed or intercepted. Both Telnet client and server are on the same host, and the fact that you're using SSH to connect to that host doesn't put that local connection at risk.
answered Sep 6 at 19:51
Arminius
36.3k12112112
add a comment |Â
up vote
40
down vote
up vote
40
down vote
Yes. Controlling a Telnet client through an SSH tunnel is, in practice, as safe from eavesdropping as using any other program (e.g. a Bash shell) through the tunnel.
Telnet is called an insecure protocol because Telnet traffic is plain text which can be read and modified by anyone on the route between client and server (a man-in-the-middle attack). But if you're exchanging packets with localhost, there is no actual network traffic leaving the machine that could be sniffed or intercepted. Both Telnet client and server are on the same host, and the fact that you're using SSH to connect to that host doesn't put that local connection at risk.
answered Sep 6 at 19:51
Arminius
36.3k12112112
Yes. Controlling a Telnet client through an SSH tunnel is, in practice, as safe from eavesdropping as using any other program (e.g. a Bash shell) through the tunnel.
Telnet is called an insecure protocol because Telnet traffic is plain text which can be read and modified by anyone on the route between client and server (a man-in-the-middle attack). But if you're exchanging packets with localhost, there is no actual network traffic leaving the machine that could be sniffed or intercepted. Both Telnet client and server are on the same host, and the fact that you're using SSH to connect to that host doesn't put that local connection at risk.
answered Sep 6 at 19:51
Arminius
36.3k12112112
edited Sep 6 at 23:48
answered Sep 6 at 19:51
Arminius
36.3k12112112
answered Sep 6 at 19:51
Arminius
36.3k12112112
answered Sep 6 at 19:51
Arminius
36.3k12112112
36.3k12112112
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f193183%2fis-telnet-secure-through-ssh-tunneling%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
6
If the telnet traffic is protected by SSH, then it is as safe as SSH.
– ztk
Sep 6 at 19:46
5
Just pointing out that if you're running
telnetlocally on the machine, that you're not really using SSH tunneling. SSH tunneling is where you send the TCP data through the tunnel. See here.– Jonathon Reinhart
Sep 6 at 22:58
1
@JonathonReinhart Thanks and what is benefit of "true ssh tunneling"? It means that telnet in loopback is encrypted too? So telnet communication cannot be sniffed even on server by others users?
– tomsk
Sep 6 at 23:05
6
FYI, instead of logging in and then using
telnet localhost 23, you could set up SSH port forwarding to do it automatically.– Barmar
Sep 7 at 1:05
2
i.e.
local> ssh remotethenremote> telnet localhost 23isn't really "tunneling", vs.local> ssh -L 2323:localhost:23 remotethenlocal> telnet localhost 2323. The first is simpler/less to go wrong, but if you have some other program installed locally that wants to connect via telnet, you could use the latter.– Nick T
Sep 8 at 17:21