On Tue, Jan 2, 2018 at 11:13 AM, Cedric Blancher <cedric.blancher@xxxxxxxxx> wrote: > There is a simple solution: Hardware certified per MIL standards (US > DOD MIL standards) support kerberized telnet, so ssh can be declared > as "not needed" / "obsolete" for that purpose. And "if wishes were fishes, we'd all swim in riches". Kerberized *anything* requires a Kerberos server, a really reliable server or set of servers, to manage the credentials. Many "kerberized telnet" setups don't actually use the Kerberized telnet protocols on port 6623, they just use the telnetd on port 23 of the telnetd server to authenticate the user against the Kerberos server. And many obsolete, setups don't even bother with *that*. Been there, done that, should have gotten the T-shirt. I'm afraid that many admins, even in DoD environments, fail to bother with setting up these kinds of basic protections. Explaining the distinctions can be... adventuresome. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev