Is telnet sent in clear text?

Unanswered Question
Oct 13th, 2007
User Badges:

I have many routers set up as VPN's. Sometimes I have to access the routers using their public IP via telnet, is this sent in clear text? If so do you recommend ssh? If so how can I set this up on a Cisco 877 or 1841?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sundar.palaniappan Sat, 10/13/2007 - 07:35
User Badges:
  • Green, 3000 points or more

Telnet data is sent in clear text. It's certainly a good idea to use SSH to access network devices especially when going through a public network like Internet. As you are probably aware SSH would encrypt all data between the client/server and even if someone gets a hand on the data it's of no use.


Have a look at this link for SSH configuration.


http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml


HTH


Sundar



whiteford Sat, 10/13/2007 - 07:44
User Badges:

Is SSH the next best thing to telnet?


This are routers in VPN mode I normally use telnet with the routers internal IP over the VPN, so I take it this is fine as it's encrypted over the VPN?


Also the telnet I do to the public IP I have a rule to only accept from my out side source address.

Richard Burts Sat, 10/13/2007 - 09:02
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


From a security perspective SSH is much better than telnet. If you are telnetting through the VPN to a router inside address it does not matter much since the traffic will be encrypted. But telnetting to the public address does create some exposure. It is good that you have a rule to only accept telnet from your source address. But there is still exposure. Someone could observe the traffic and could learn your user ID and password. What could they do if they knew your address, your user ID, and your password?


While that is not a high degree of risk it is still some risk and why take any risk when a better solution is available? Since the routers are running VPN they already have the crypto image and therefore will support SSH. Basically as long as they have a host name and a domain name configured all you need to do is to generate RSA keys and then SSH is ready to go. It would certainly be a best practice to use SSH - especially for access to outside interfaces of these routers.


HTH


Rick

whiteford Sat, 10/13/2007 - 09:27
User Badges:

I see what you are saying. A few things, what would my domain be, my windows domain? Would I add ssh the remove the telnet settings, sorry this a area I'm not sure about. Do you have an example Rick? Many thanks in advance.

Richard Burts Sat, 10/13/2007 - 09:44
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


The domain for the router is generally the domain name used in DNS. I assume that there is some DNS domain name for CBS Outdoor Ltd and that is what I would use for the router.


Telnet and SSH can coexist. If you want to continue to use telnet to inside addresses (through the VPN) and SSH to outside addresses you do not need to remove anything. If you decide that you want to change your policy and only use SSH for remote access to the routers then you could configure under the vty lines:

transport input ssh

and this would allow SSH and not allow telnet.


HTH


Rick

whiteford Sat, 10/13/2007 - 10:11
User Badges:

Thanks for your info, so I just need to add the domain as I have a hostname and password then generate a key? Why does it need a domain name?


Is this below all I need to add, keeping my telnet option too?


hostname carter


aaa new-model

username cisco password 0 cisco


ip domain-name rtp.cisco.com


cry key generate rsa

ip ssh time-out 60

ip ssh authentication-retries 2


line vty 0 4

transport input SSH

Richard Burts Sat, 10/13/2007 - 10:49
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


I do not know the authoritative answer about why it requires a domain name. My assumption is that they want a domain name because they want a complete and unique identification of the device. What I do know (from hard experience) is that without a domain name configured the key will not generate.


If you want to keep your telnet option then the config needs to have this:

transport input ssh telnet

if you only list ssh as the transport then it is the only one allowed. By listing both ssh and telnet then both are allowed.


HTH


Rick

whiteford Sat, 10/13/2007 - 10:57
User Badges:

Thanks Rick, that example of the config above, is that all I need to add? Obviously just changing it to suit my current details?



Is suppose you could have any domain name if its to generate a key, just don't like the sound our putting my domain on an internet facing device.

Actions

This Discussion