“This is something I have been thinking about off and on for a
while. Why do vendors ship software that they themselves won’t use?
Most Linux vendors ship the same general packages – Sendmail
for SMTP mail services, WuFTPD for FTP, Telnet for remote access
and so on. The kicker, though, is that most of these vendors use
different software on their servers….“
“Telnet:
This one just makes me angry. Does anyone honestly think that
vendors are using Telnet to access their servers and conduct remote
administration? OpenSSH is extremely mature and rock solid on Linux
– numerous packages are available and many free Windows clients, as
well (several Java ones, too). Linux vendors should adopt the
OpenBSD policy: OpenSSH is installed and enabled by default, Telnet
is installed but not enabled by default.”
“It would be a cinch for non-U.S. distributions to include
OpenSSH, and U.S.-based distributions could find several easy ways
around it (e.g., ftp.redhat.de has up-to-date OpenSSH rpm’s for
most major releases of Red Hat Linux). If OpenSSH is not available
during initial install (the user does not have access to a network,
for example) it should be easy to obtain post-install. The OpenSSL
and OpenSSH binaries combined are only around 1.1 megabytes; even
on a slow dialup link, this download would take no more then 10
minutes (and I do mean a slow dialup link).”
“Telnet is completely broken. It cannot be fixed. Even the use
of one-time password schemes still leaves Telnet vulnerable to
session hijacking.”