24

Firstly sorry, maybe dumb question, but I have one service running on my server which can be operated only by telnet (port 23), but I know that telnet is insecure, so I blocked port 23 in iptables except loopback interface (to be not accessible from internet, but only from localhost).

So my idea is that I connect to the server using SSH and then in SSH session I will connect to telnet localhost 23, so I wonder if it is safe or if it can be sniffed.

tomsk
  • 389
  • 2
  • 8
  • 7
    If the telnet traffic is protected by SSH, then it is as safe as SSH. – ztk Sep 06 '18 at 19:46
  • 5
    Just pointing out that if you're running `telnet` locally on the machine, that you're not *really* using SSH tunneling. SSH tunneling is where you send the TCP data through the tunnel. [See here](https://www.ssh.com/ssh/tunneling/example). – Jonathon Reinhart Sep 06 '18 at 22:58
  • 1
    @JonathonReinhart Thanks and what is benefit of "true ssh tunneling"? It means that telnet in loopback is encrypted too? So telnet communication cannot be sniffed even on server by others users? – tomsk Sep 06 '18 at 23:05
  • 6
    FYI, instead of logging in and then using `telnet localhost 23`, you could set up SSH port forwarding to do it automatically. – Barmar Sep 07 '18 at 01:05
  • 2
    i.e. `local> ssh remote` then `remote> telnet localhost 23` isn't really "tunneling", vs. `local> ssh -L 2323:localhost:23 remote` then `local> telnet localhost 2323`. The first is simpler/less to go wrong, but if you have some other program installed locally that wants to connect via telnet, you could use the latter. – Nick T Sep 08 '18 at 17:21

2 Answers2

42

Yes. Controlling a Telnet client through an SSH tunnel is, in practice, as safe from eavesdropping as using any other program (e.g. a Bash shell) through the tunnel.

Telnet is called an insecure protocol because Telnet traffic is plain text which can be read and modified by anyone on the route between client and server (a man-in-the-middle attack). But if you're exchanging packets with localhost, there is no actual network traffic leaving the machine that could be sniffed or intercepted. Both Telnet client and server are on the same host, and the fact that you're using SSH to connect to that host doesn't put that local connection at risk.

Arminius
  • 43,922
  • 13
  • 140
  • 136
24

The traffic cannot be sniffed. It is not ideal - you're adding extra steps to arrive at a secure connection, so performance will suffer - but it is safe from sniffing at least at the network level. Obviously, if the server is compromised, the traffic can be sniffed, but you will have other problems by then.

Since someone told me to add this here is an edit: It is not ideal because you have to utilize two additional steps to initiate a connection and secure it. One is prohibit every incoming connection to the telnet service and second is to work around that prohibition. That simply leaves more space for errors than simply using SSH in the first place. That's not ideal but sometimes the best of valid options.

Ben
  • 2,024
  • 8
  • 17
  • 9
    When you say *"Nope it can't."* can you make it more clear which question you're answering exactly? This is particularly confusing because the title is *"Is telnet secure through SSH tunneling"* -- I had to re-read the question to then find that you're probably responding to *"or if it can be sniffed."* – Jonathon Reinhart Sep 06 '18 at 22:56
  • @JonathonReinhart On StackExchange sites, you are able to edit questions and answers. So you can go ahead and edit it to improve it. – Craig McQueen Sep 07 '18 at 00:29
  • 1
    Why is it not ideal? – Lightness Races in Orbit Sep 07 '18 at 09:41
  • 5
    It is not ideal because you have to utilize two additional steps to initiate a connection and secure it. One is prohibit every incoming connection to the telnet service and second is to work around that prohibition. That simply leaves more space for errors than simply using SSH in the first place. That's not ideal but sometimes the best of valid options. – Ben Sep 07 '18 at 10:17
  • I don't see performance suffering any worse than a typical VPN connection, and the SSH connection can be automated if you're using keys to connect, which you should be doing anyway. – Craig Tullis Sep 10 '18 at 06:44