SSH vs Telnet: Why SSH Replaced Telnet
Both provide remote command-line access to devices, but Telnet sends everything in plaintext — including passwords — while SSH encrypts the entire session. This single difference is why Telnet is now considered obsolete for anything except lab practice.
Side by side
| Factor | Telnet | SSH |
|---|---|---|
| Encryption | None — plaintext | Full session encryption |
| Default port | 23 | 22 |
| Password security | Visible to anyone capturing traffic | Protected by encryption |
| Modern usage | Avoid in production | Standard for all device management |
The details that matter
Anyone capturing traffic on a Telnet session — a classic man-in-the-middle position — reads your username and password in plain sight. SSH solves this with encryption from the first packet, using key exchange to establish a secure channel before any credentials are sent. Configuring SSH requires a hostname, domain name and generated RSA keys (see our SSH lab) — a small setup cost for eliminating one of the most basic security holes a network can have. Every real production network should have transport input ssh on its VTY lines, Telnet disabled.
Frequently asked questions
Why is Telnet considered insecure?
It transmits all data, including usernames and passwords, in plaintext — anyone capturing the traffic can read credentials directly.
What port does SSH use by default?
Port 22 (Telnet uses port 23).
How do you disable Telnet and allow only SSH?
On the VTY lines, configure transport input ssh — this refuses Telnet connections and accepts only encrypted SSH sessions.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.