Is telnet secure through SSH tunneling

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
22
down vote

favorite
1












Firstly sorry, maybe dumb question, but I have one service running on my server which can be operated only by telnet (port 23), but I know that telnet is insecure, so I blocked port 23 in iptables except loopback interface (to be not accessible from internet, but only from localhost).



So my idea is that I connect to the server using SSH and then in SSH session I will connect to telnet localhost 23, so I wonder if it is safe or if it can be sniffed.







share|improve this question
















  • 6




    If the telnet traffic is protected by SSH, then it is as safe as SSH.
    – ztk
    Sep 6 at 19:46






  • 5




    Just pointing out that if you're running telnet locally on the machine, that you're not really using SSH tunneling. SSH tunneling is where you send the TCP data through the tunnel. See here.
    – Jonathon Reinhart
    Sep 6 at 22:58






  • 1




    @JonathonReinhart Thanks and what is benefit of "true ssh tunneling"? It means that telnet in loopback is encrypted too? So telnet communication cannot be sniffed even on server by others users?
    – tomsk
    Sep 6 at 23:05






  • 6




    FYI, instead of logging in and then using telnet localhost 23, you could set up SSH port forwarding to do it automatically.
    – Barmar
    Sep 7 at 1:05






  • 2




    i.e. local> ssh remote then remote> telnet localhost 23 isn't really "tunneling", vs. local> ssh -L 2323:localhost:23 remote then local> telnet localhost 2323. The first is simpler/less to go wrong, but if you have some other program installed locally that wants to connect via telnet, you could use the latter.
    – Nick T
    Sep 8 at 17:21
















up vote
22
down vote

favorite
1












Firstly sorry, maybe dumb question, but I have one service running on my server which can be operated only by telnet (port 23), but I know that telnet is insecure, so I blocked port 23 in iptables except loopback interface (to be not accessible from internet, but only from localhost).



So my idea is that I connect to the server using SSH and then in SSH session I will connect to telnet localhost 23, so I wonder if it is safe or if it can be sniffed.







share|improve this question
















  • 6




    If the telnet traffic is protected by SSH, then it is as safe as SSH.
    – ztk
    Sep 6 at 19:46






  • 5




    Just pointing out that if you're running telnet locally on the machine, that you're not really using SSH tunneling. SSH tunneling is where you send the TCP data through the tunnel. See here.
    – Jonathon Reinhart
    Sep 6 at 22:58






  • 1




    @JonathonReinhart Thanks and what is benefit of "true ssh tunneling"? It means that telnet in loopback is encrypted too? So telnet communication cannot be sniffed even on server by others users?
    – tomsk
    Sep 6 at 23:05






  • 6




    FYI, instead of logging in and then using telnet localhost 23, you could set up SSH port forwarding to do it automatically.
    – Barmar
    Sep 7 at 1:05






  • 2




    i.e. local> ssh remote then remote> telnet localhost 23 isn't really "tunneling", vs. local> ssh -L 2323:localhost:23 remote then local> telnet localhost 2323. The first is simpler/less to go wrong, but if you have some other program installed locally that wants to connect via telnet, you could use the latter.
    – Nick T
    Sep 8 at 17:21












up vote
22
down vote

favorite
1









up vote
22
down vote

favorite
1






1





Firstly sorry, maybe dumb question, but I have one service running on my server which can be operated only by telnet (port 23), but I know that telnet is insecure, so I blocked port 23 in iptables except loopback interface (to be not accessible from internet, but only from localhost).



So my idea is that I connect to the server using SSH and then in SSH session I will connect to telnet localhost 23, so I wonder if it is safe or if it can be sniffed.







share|improve this question












Firstly sorry, maybe dumb question, but I have one service running on my server which can be operated only by telnet (port 23), but I know that telnet is insecure, so I blocked port 23 in iptables except loopback interface (to be not accessible from internet, but only from localhost).



So my idea is that I connect to the server using SSH and then in SSH session I will connect to telnet localhost 23, so I wonder if it is safe or if it can be sniffed.









share|improve this question











share|improve this question




share|improve this question










asked Sep 6 at 19:38









tomsk

22028




22028







  • 6




    If the telnet traffic is protected by SSH, then it is as safe as SSH.
    – ztk
    Sep 6 at 19:46






  • 5




    Just pointing out that if you're running telnet locally on the machine, that you're not really using SSH tunneling. SSH tunneling is where you send the TCP data through the tunnel. See here.
    – Jonathon Reinhart
    Sep 6 at 22:58






  • 1




    @JonathonReinhart Thanks and what is benefit of "true ssh tunneling"? It means that telnet in loopback is encrypted too? So telnet communication cannot be sniffed even on server by others users?
    – tomsk
    Sep 6 at 23:05






  • 6




    FYI, instead of logging in and then using telnet localhost 23, you could set up SSH port forwarding to do it automatically.
    – Barmar
    Sep 7 at 1:05






  • 2




    i.e. local> ssh remote then remote> telnet localhost 23 isn't really "tunneling", vs. local> ssh -L 2323:localhost:23 remote then local> telnet localhost 2323. The first is simpler/less to go wrong, but if you have some other program installed locally that wants to connect via telnet, you could use the latter.
    – Nick T
    Sep 8 at 17:21












  • 6




    If the telnet traffic is protected by SSH, then it is as safe as SSH.
    – ztk
    Sep 6 at 19:46






  • 5




    Just pointing out that if you're running telnet locally on the machine, that you're not really using SSH tunneling. SSH tunneling is where you send the TCP data through the tunnel. See here.
    – Jonathon Reinhart
    Sep 6 at 22:58






  • 1




    @JonathonReinhart Thanks and what is benefit of "true ssh tunneling"? It means that telnet in loopback is encrypted too? So telnet communication cannot be sniffed even on server by others users?
    – tomsk
    Sep 6 at 23:05






  • 6




    FYI, instead of logging in and then using telnet localhost 23, you could set up SSH port forwarding to do it automatically.
    – Barmar
    Sep 7 at 1:05






  • 2




    i.e. local> ssh remote then remote> telnet localhost 23 isn't really "tunneling", vs. local> ssh -L 2323:localhost:23 remote then local> telnet localhost 2323. The first is simpler/less to go wrong, but if you have some other program installed locally that wants to connect via telnet, you could use the latter.
    – Nick T
    Sep 8 at 17:21







6




6




If the telnet traffic is protected by SSH, then it is as safe as SSH.
– ztk
Sep 6 at 19:46




If the telnet traffic is protected by SSH, then it is as safe as SSH.
– ztk
Sep 6 at 19:46




5




5




Just pointing out that if you're running telnet locally on the machine, that you're not really using SSH tunneling. SSH tunneling is where you send the TCP data through the tunnel. See here.
– Jonathon Reinhart
Sep 6 at 22:58




Just pointing out that if you're running telnet locally on the machine, that you're not really using SSH tunneling. SSH tunneling is where you send the TCP data through the tunnel. See here.
– Jonathon Reinhart
Sep 6 at 22:58




1




1




@JonathonReinhart Thanks and what is benefit of "true ssh tunneling"? It means that telnet in loopback is encrypted too? So telnet communication cannot be sniffed even on server by others users?
– tomsk
Sep 6 at 23:05




@JonathonReinhart Thanks and what is benefit of "true ssh tunneling"? It means that telnet in loopback is encrypted too? So telnet communication cannot be sniffed even on server by others users?
– tomsk
Sep 6 at 23:05




6




6




FYI, instead of logging in and then using telnet localhost 23, you could set up SSH port forwarding to do it automatically.
– Barmar
Sep 7 at 1:05




FYI, instead of logging in and then using telnet localhost 23, you could set up SSH port forwarding to do it automatically.
– Barmar
Sep 7 at 1:05




2




2




i.e. local> ssh remote then remote> telnet localhost 23 isn't really "tunneling", vs. local> ssh -L 2323:localhost:23 remote then local> telnet localhost 2323. The first is simpler/less to go wrong, but if you have some other program installed locally that wants to connect via telnet, you could use the latter.
– Nick T
Sep 8 at 17:21




i.e. local> ssh remote then remote> telnet localhost 23 isn't really "tunneling", vs. local> ssh -L 2323:localhost:23 remote then local> telnet localhost 2323. The first is simpler/less to go wrong, but if you have some other program installed locally that wants to connect via telnet, you could use the latter.
– Nick T
Sep 8 at 17:21










2 Answers
2






active

oldest

votes

















up vote
23
down vote



accepted










The traffic cannot be sniffed. It is not ideal - you're adding extra steps to arrive at a secure connection, so performance will suffer - but it is safe from sniffing at least at the network level. Obviously, if the server is compromised, the traffic can be sniffed, but you will have other problems by then.



Since someone told me to add this here is an edit:
It is not ideal because you have to utilize two additional steps to initiate a connection and secure it. One is prohibit every incoming connection to the telnet service and second is to work around that prohibition. That simply leaves more space for errors than simply using SSH in the first place. That's not ideal but sometimes the best of valid options.






share|improve this answer


















  • 9




    When you say "Nope it can't." can you make it more clear which question you're answering exactly? This is particularly confusing because the title is "Is telnet secure through SSH tunneling" -- I had to re-read the question to then find that you're probably responding to "or if it can be sniffed."
    – Jonathon Reinhart
    Sep 6 at 22:56











  • @JonathonReinhart On StackExchange sites, you are able to edit questions and answers. So you can go ahead and edit it to improve it.
    – Craig McQueen
    Sep 7 at 0:29






  • 1




    Why is it not ideal?
    – Lightness Races in Orbit
    Sep 7 at 9:41






  • 5




    It is not ideal because you have to utilize two additional steps to initiate a connection and secure it. One is prohibit every incoming connection to the telnet service and second is to work around that prohibition. That simply leaves more space for errors than simply using SSH in the first place. That's not ideal but sometimes the best of valid options.
    – Ben
    Sep 7 at 10:17










  • I don't see performance suffering any worse than a typical VPN connection, and the SSH connection can be automated if you're using keys to connect, which you should be doing anyway.
    – Craig
    yesterday

















up vote
40
down vote













Yes. Controlling a Telnet client through an SSH tunnel is, in practice, as safe from eavesdropping as using any other program (e.g. a Bash shell) through the tunnel.



Telnet is called an insecure protocol because Telnet traffic is plain text which can be read and modified by anyone on the route between client and server (a man-in-the-middle attack). But if you're exchanging packets with localhost, there is no actual network traffic leaving the machine that could be sniffed or intercepted. Both Telnet client and server are on the same host, and the fact that you're using SSH to connect to that host doesn't put that local connection at risk.






share|improve this answer






















    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "162"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f193183%2fis-telnet-secure-through-ssh-tunneling%23new-answer', 'question_page');

    );

    Post as a guest






























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    23
    down vote



    accepted










    The traffic cannot be sniffed. It is not ideal - you're adding extra steps to arrive at a secure connection, so performance will suffer - but it is safe from sniffing at least at the network level. Obviously, if the server is compromised, the traffic can be sniffed, but you will have other problems by then.



    Since someone told me to add this here is an edit:
    It is not ideal because you have to utilize two additional steps to initiate a connection and secure it. One is prohibit every incoming connection to the telnet service and second is to work around that prohibition. That simply leaves more space for errors than simply using SSH in the first place. That's not ideal but sometimes the best of valid options.






    share|improve this answer


















    • 9




      When you say "Nope it can't." can you make it more clear which question you're answering exactly? This is particularly confusing because the title is "Is telnet secure through SSH tunneling" -- I had to re-read the question to then find that you're probably responding to "or if it can be sniffed."
      – Jonathon Reinhart
      Sep 6 at 22:56











    • @JonathonReinhart On StackExchange sites, you are able to edit questions and answers. So you can go ahead and edit it to improve it.
      – Craig McQueen
      Sep 7 at 0:29






    • 1




      Why is it not ideal?
      – Lightness Races in Orbit
      Sep 7 at 9:41






    • 5




      It is not ideal because you have to utilize two additional steps to initiate a connection and secure it. One is prohibit every incoming connection to the telnet service and second is to work around that prohibition. That simply leaves more space for errors than simply using SSH in the first place. That's not ideal but sometimes the best of valid options.
      – Ben
      Sep 7 at 10:17










    • I don't see performance suffering any worse than a typical VPN connection, and the SSH connection can be automated if you're using keys to connect, which you should be doing anyway.
      – Craig
      yesterday














    up vote
    23
    down vote



    accepted










    The traffic cannot be sniffed. It is not ideal - you're adding extra steps to arrive at a secure connection, so performance will suffer - but it is safe from sniffing at least at the network level. Obviously, if the server is compromised, the traffic can be sniffed, but you will have other problems by then.



    Since someone told me to add this here is an edit:
    It is not ideal because you have to utilize two additional steps to initiate a connection and secure it. One is prohibit every incoming connection to the telnet service and second is to work around that prohibition. That simply leaves more space for errors than simply using SSH in the first place. That's not ideal but sometimes the best of valid options.






    share|improve this answer


















    • 9




      When you say "Nope it can't." can you make it more clear which question you're answering exactly? This is particularly confusing because the title is "Is telnet secure through SSH tunneling" -- I had to re-read the question to then find that you're probably responding to "or if it can be sniffed."
      – Jonathon Reinhart
      Sep 6 at 22:56











    • @JonathonReinhart On StackExchange sites, you are able to edit questions and answers. So you can go ahead and edit it to improve it.
      – Craig McQueen
      Sep 7 at 0:29






    • 1




      Why is it not ideal?
      – Lightness Races in Orbit
      Sep 7 at 9:41






    • 5




      It is not ideal because you have to utilize two additional steps to initiate a connection and secure it. One is prohibit every incoming connection to the telnet service and second is to work around that prohibition. That simply leaves more space for errors than simply using SSH in the first place. That's not ideal but sometimes the best of valid options.
      – Ben
      Sep 7 at 10:17










    • I don't see performance suffering any worse than a typical VPN connection, and the SSH connection can be automated if you're using keys to connect, which you should be doing anyway.
      – Craig
      yesterday












    up vote
    23
    down vote



    accepted







    up vote
    23
    down vote



    accepted






    The traffic cannot be sniffed. It is not ideal - you're adding extra steps to arrive at a secure connection, so performance will suffer - but it is safe from sniffing at least at the network level. Obviously, if the server is compromised, the traffic can be sniffed, but you will have other problems by then.



    Since someone told me to add this here is an edit:
    It is not ideal because you have to utilize two additional steps to initiate a connection and secure it. One is prohibit every incoming connection to the telnet service and second is to work around that prohibition. That simply leaves more space for errors than simply using SSH in the first place. That's not ideal but sometimes the best of valid options.






    share|improve this answer














    The traffic cannot be sniffed. It is not ideal - you're adding extra steps to arrive at a secure connection, so performance will suffer - but it is safe from sniffing at least at the network level. Obviously, if the server is compromised, the traffic can be sniffed, but you will have other problems by then.



    Since someone told me to add this here is an edit:
    It is not ideal because you have to utilize two additional steps to initiate a connection and secure it. One is prohibit every incoming connection to the telnet service and second is to work around that prohibition. That simply leaves more space for errors than simply using SSH in the first place. That's not ideal but sometimes the best of valid options.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited 2 days ago

























    answered Sep 6 at 19:45









    Ben

    1,322114




    1,322114







    • 9




      When you say "Nope it can't." can you make it more clear which question you're answering exactly? This is particularly confusing because the title is "Is telnet secure through SSH tunneling" -- I had to re-read the question to then find that you're probably responding to "or if it can be sniffed."
      – Jonathon Reinhart
      Sep 6 at 22:56











    • @JonathonReinhart On StackExchange sites, you are able to edit questions and answers. So you can go ahead and edit it to improve it.
      – Craig McQueen
      Sep 7 at 0:29






    • 1




      Why is it not ideal?
      – Lightness Races in Orbit
      Sep 7 at 9:41






    • 5




      It is not ideal because you have to utilize two additional steps to initiate a connection and secure it. One is prohibit every incoming connection to the telnet service and second is to work around that prohibition. That simply leaves more space for errors than simply using SSH in the first place. That's not ideal but sometimes the best of valid options.
      – Ben
      Sep 7 at 10:17










    • I don't see performance suffering any worse than a typical VPN connection, and the SSH connection can be automated if you're using keys to connect, which you should be doing anyway.
      – Craig
      yesterday












    • 9




      When you say "Nope it can't." can you make it more clear which question you're answering exactly? This is particularly confusing because the title is "Is telnet secure through SSH tunneling" -- I had to re-read the question to then find that you're probably responding to "or if it can be sniffed."
      – Jonathon Reinhart
      Sep 6 at 22:56











    • @JonathonReinhart On StackExchange sites, you are able to edit questions and answers. So you can go ahead and edit it to improve it.
      – Craig McQueen
      Sep 7 at 0:29






    • 1




      Why is it not ideal?
      – Lightness Races in Orbit
      Sep 7 at 9:41






    • 5




      It is not ideal because you have to utilize two additional steps to initiate a connection and secure it. One is prohibit every incoming connection to the telnet service and second is to work around that prohibition. That simply leaves more space for errors than simply using SSH in the first place. That's not ideal but sometimes the best of valid options.
      – Ben
      Sep 7 at 10:17










    • I don't see performance suffering any worse than a typical VPN connection, and the SSH connection can be automated if you're using keys to connect, which you should be doing anyway.
      – Craig
      yesterday







    9




    9




    When you say "Nope it can't." can you make it more clear which question you're answering exactly? This is particularly confusing because the title is "Is telnet secure through SSH tunneling" -- I had to re-read the question to then find that you're probably responding to "or if it can be sniffed."
    – Jonathon Reinhart
    Sep 6 at 22:56





    When you say "Nope it can't." can you make it more clear which question you're answering exactly? This is particularly confusing because the title is "Is telnet secure through SSH tunneling" -- I had to re-read the question to then find that you're probably responding to "or if it can be sniffed."
    – Jonathon Reinhart
    Sep 6 at 22:56













    @JonathonReinhart On StackExchange sites, you are able to edit questions and answers. So you can go ahead and edit it to improve it.
    – Craig McQueen
    Sep 7 at 0:29




    @JonathonReinhart On StackExchange sites, you are able to edit questions and answers. So you can go ahead and edit it to improve it.
    – Craig McQueen
    Sep 7 at 0:29




    1




    1




    Why is it not ideal?
    – Lightness Races in Orbit
    Sep 7 at 9:41




    Why is it not ideal?
    – Lightness Races in Orbit
    Sep 7 at 9:41




    5




    5




    It is not ideal because you have to utilize two additional steps to initiate a connection and secure it. One is prohibit every incoming connection to the telnet service and second is to work around that prohibition. That simply leaves more space for errors than simply using SSH in the first place. That's not ideal but sometimes the best of valid options.
    – Ben
    Sep 7 at 10:17




    It is not ideal because you have to utilize two additional steps to initiate a connection and secure it. One is prohibit every incoming connection to the telnet service and second is to work around that prohibition. That simply leaves more space for errors than simply using SSH in the first place. That's not ideal but sometimes the best of valid options.
    – Ben
    Sep 7 at 10:17












    I don't see performance suffering any worse than a typical VPN connection, and the SSH connection can be automated if you're using keys to connect, which you should be doing anyway.
    – Craig
    yesterday




    I don't see performance suffering any worse than a typical VPN connection, and the SSH connection can be automated if you're using keys to connect, which you should be doing anyway.
    – Craig
    yesterday












    up vote
    40
    down vote













    Yes. Controlling a Telnet client through an SSH tunnel is, in practice, as safe from eavesdropping as using any other program (e.g. a Bash shell) through the tunnel.



    Telnet is called an insecure protocol because Telnet traffic is plain text which can be read and modified by anyone on the route between client and server (a man-in-the-middle attack). But if you're exchanging packets with localhost, there is no actual network traffic leaving the machine that could be sniffed or intercepted. Both Telnet client and server are on the same host, and the fact that you're using SSH to connect to that host doesn't put that local connection at risk.






    share|improve this answer


























      up vote
      40
      down vote













      Yes. Controlling a Telnet client through an SSH tunnel is, in practice, as safe from eavesdropping as using any other program (e.g. a Bash shell) through the tunnel.



      Telnet is called an insecure protocol because Telnet traffic is plain text which can be read and modified by anyone on the route between client and server (a man-in-the-middle attack). But if you're exchanging packets with localhost, there is no actual network traffic leaving the machine that could be sniffed or intercepted. Both Telnet client and server are on the same host, and the fact that you're using SSH to connect to that host doesn't put that local connection at risk.






      share|improve this answer
























        up vote
        40
        down vote










        up vote
        40
        down vote









        Yes. Controlling a Telnet client through an SSH tunnel is, in practice, as safe from eavesdropping as using any other program (e.g. a Bash shell) through the tunnel.



        Telnet is called an insecure protocol because Telnet traffic is plain text which can be read and modified by anyone on the route between client and server (a man-in-the-middle attack). But if you're exchanging packets with localhost, there is no actual network traffic leaving the machine that could be sniffed or intercepted. Both Telnet client and server are on the same host, and the fact that you're using SSH to connect to that host doesn't put that local connection at risk.






        share|improve this answer














        Yes. Controlling a Telnet client through an SSH tunnel is, in practice, as safe from eavesdropping as using any other program (e.g. a Bash shell) through the tunnel.



        Telnet is called an insecure protocol because Telnet traffic is plain text which can be read and modified by anyone on the route between client and server (a man-in-the-middle attack). But if you're exchanging packets with localhost, there is no actual network traffic leaving the machine that could be sniffed or intercepted. Both Telnet client and server are on the same host, and the fact that you're using SSH to connect to that host doesn't put that local connection at risk.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Sep 6 at 23:48

























        answered Sep 6 at 19:51









        Arminius

        36.3k12112112




        36.3k12112112



























             

            draft saved


            draft discarded















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f193183%2fis-telnet-secure-through-ssh-tunneling%23new-answer', 'question_page');

            );

            Post as a guest













































































            Comments

            Popular posts from this blog

            What does second last employer means? [closed]

            Installing NextGIS Connect into QGIS 3?

            One-line joke