(no title)

  Connection failed

Maybe we should give the kind person who hosts it a break. Try it out tomorrow. (Yes, I should have thought of that before I tried.)

~~IIRC the blinkenlights telnet movies have been offline for a few years already.~~

> Nobody verifies host keys,

The known_hosts file is verification of host keys. It's not verification of a host cert, which is a different thing. Most sshd instances are running on ad hoc hardware without the ability to associate them with someone a cert authority would be willing to authenticate.

Basically people running services that need cert-based authentication are already using TLS (or if they're using sshd they've locked it down appropriately). SSH is for your workstation and your RPi and whatnot.

How do you automate, for example, "HTTPS over websocket with OAuth", without providing some kind of hard-coded, static or otherwise persistent authentication credentials to the calling system in some form (either certificate based auth, OAuth credentials, etc.)?

The problem with IoT and embedded secrets isn't really a solved problem, from what I can tell. I'm not sure that OAuth exactly solves the problem here. Though all your comments about SSH (especially host verification) holds true.

Just honestly trying to understand the possible solution space to the IoT problem and automated (non-human) authorization.

Unless you manage to leak your private host/client SSH keys, this is close to being as secure as it gets.

I'd say that HTTPS (or TLS in general) is more problematic, since you need to trust numerous root CAs in machine/browser store. Sure, you can use certificate pinning, but that has the same issues as SSH host key verification.

> Very few people use SSH with 2FA.

PCI DSS, HIPAA, and ISO 27001 each either highly recommend or enforce this.

I wouldn't use a jumphost without it.

> IMHO we need a good telnet replacement that sends signed data. Most people interpret signatures as allowed under FCC rules, just not encryption.

I know from bitter experience that IPsec is a “now you have two problems” kind of solution, but the Authentication Header is a thing and is supported by most (all?) implementations. Ham radio operators probably don’t have much use for the actual features of telnet compared to plain netcat, do they? (It’s mostly terminal feature negotiation and such.)

Most people don't care about FCC rules.

I'm breaking a tonne of FCC rules right now.

You can use ssh with the None cipher, thus disabling encryption entirely while still using the rest of the protocol.

N.U.T.S. 3.3.3 4eva! There was a NUTS 4, but about a decade too late.

> that users connect to using Telnet

Not anymore ;)

Seriously though: did you notice any spikes up or down?

If you'd run it on a non-standard port, anyone can still connect with netcat, socat, etc etc.

I've always used ssh to connect to it. And it's true that their port 23 is still open at last check. If you cannot reach port 23, and you irrationally hate ssh, you may use 14321 as an alternate.

https://www.alt.org/nethack/

MUDs were my introduction to telnet- I grew up a university kid and had access to Wesleyan's minicomputer EAGLE.WESLEYAN.EDU running OpenVMS. I used it to telnet to CMU's TinyMUD and later other TinyMUDs around the country. I recall OpenVMS's telnet had a problem with newlines/carriage returns so all the text was staircased, so I ended up learning C and writing a MUD client. I still habitually use telnet today even if netcat and many other tools have replaced it.

All of that was foundational for my career and I still look back fondly on the technology of the time, which tended to be fairly "open" to exploration by curious-minded teenagers.

Do you care if they steal your account though and drop all your inventory?

The problem is the auth is plain text too and you're open to having your credentials stolen.