Securing Telnet with SSL

I&#x27;m guessing that something about ssh makes it difficult to implement the block oriented (vs stream) comms that protocols like 5250 and 3270 need. Unlike the unix world, they can interact with the terminal without sending things to the host, and there&#x27;s support for something sort of like html forms, tab traversal, etc. They fill out fields and press a send key. You can&#x27;t, for example, use a normal telnet client. There&#x27;s tn3270, tn5250, etc, that layer the extra stuff needed.<p>You can find &quot;sortof ssh&quot; solutions for AS&#x2F;400&#x27;s and z&#x2F;OS, but they create a tunnel and it&#x27;s still telnet underneath. Or solutions that are ssh, but are interacting with a linux partition, or posix subsystem, and can&#x27;t do the 3270&#x2F;5250 stuff.

This is a throwaway. Five years ago I worked for a company that was still using telnet for everything.<p>Despite assurances of using encryption to clients, we were taking no security measures. Connections to servers were possible with UUCP and Telnet over the internet and modem.<p>We &quot;upgraded&quot; to SCO OpenServer 6 because we were already grandfathered in to it and three servers had died.<p>We also had a zero password policy. If you could find the port or the phone number and you could guess a username, such as oh I don&#x27;t know: &quot;root&quot;, then you could get in.<p>And people were. We were regularly getting modem calls after hours. We had medical records, private financial data, social insurance numbers, ...<p>It was such a painful work environment. I switched us over by claiming that OpenServer 6 did not have a telnet server and that we were going to have to switch to SSH. I also lied and said that passwordless SSH sessions weren&#x27;t a configurable option.<p>My point? This sort of half-assed mitigation of people stuck in their ways doesn&#x27;t accomplish much. Best to just lie to them, if they were educated they would have already made the change of their own volition.

Ok so a few people posted about why not ssh? I think I&#x27;ll try to provide more context to the system they are describing.<p>You are a brokerage and your Setup with IBM is a mature system that would cost you lots of capital to overhaul to SSH. Your already have a plan to do this and it will take 1 or 2 years to roll out and justify the cost to the board of directors. This answers the question : What do I do now to secure this system.

Call me edgy, but what about ssh, Bob?

&quot;Modern&quot; (ha!) Bulletin Board Systems that support SSH simply talk Telnet over a SSH tunnel.<p>Sometimes you don&#x27;t want to change... Much. :)

This article prompted me read more about the IBM i OS [1], and it sounds actually quite cool. From the self-healing and objects instead of files, to the packaging of an IR to be re-compiled on the fly to new platforms, I&#x27;m curious to know why it and its concepts aren&#x27;t more mainstream? Is it actually the bees knees but just costs a lot?<p>[1] <a href="https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;IBM_i" rel="nofollow">https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;IBM_i</a>

I am wondering if they could implement SSH service and use a SSH tunnel to telnet avoiding recode of the telnet end points.