Re: Show of hands
"Newly discovered" for me. Here's why; no one uses Telnet. Not since the 1990s. If you do allow it, you are; 1) doing yourself no favors and probably think firewalls will protect you from any problems, and 2) a clueless network wonk who got the job because you're cheap, not good. No one uses Telnet for any valid reason. You can do everything with ssh and still have a modicum of security to protect your sessions. Last time I touched a Cisco router was in the 1990s, and we turned off Telnet as one of the first configurations. I don't even use it at home. Everything has ssh available, and it is dead easy to setup and maintain. There is simply no valid case for telnet being available as a session protocol in a modern networking device, other than to fall back on when people forget/loose their ssh keys (which isn't necessary since you can merely pop the box with the motherboard "wipe me" setting, then reload the config you should have saved already, or setup new if those keys in the config file are not known). And for new installs that need hand-holding, then you turn it off. Cisco knows this, and this is why this bug went unnoticed for years; no one using "best practices" for their data center would allow this to run without some really great exception, and even then I seriously doubt any use of Telnet as being a valid method to connect to anything, other than as a back-to-back connection for simple, local setup usage. It's a holdout from the past and really should be unbundled, not merely set to disabled by default. For ssh, do the key exchange/build at the system setup via the serial console, or use a key configured from the factory, then force the update when the system is setup. And don't get me started on their use of tftp as the transport for the remote config save. :P
Biting the hand that feeds IT
