Subject: Re: Any point to cvs using rsh? (was Re: Anoncvs pointer)
To: None <current-users@netbsd.org>
From: Gary Thorpe <gathorpe79@yahoo.com>
List: current-users
Date: 12/13/2002 09:50:25
 --- Chuck Yerkes <chuck+nbsd@2003.snew.com> wrote: > Quoting Ron
Roskens (roskens@elfin.net):
> > 
> > Your missing the "CVS_RSH" environment variable.
> > 
> > sh:
> > export CVS_RSH=ssh
> > 
> > csh:
> > setenv CVS_RSH ssh
> > 
> > and then run the cvs command.
> 
> Is there any reason not to just have CVS (and rsync and rdist)
> just use ssh by default?
> 
> I mitigate it a lot by removing rsh and making it a link to
> ssh, but should we "presume" that rsh is useful for ANYTHING?
> Sure, let it be there for override (CVS_RSH=rsh), but lets
> move on.
> 
> Between clear passwords and session highjacking, the r* commands
> are ready to die.  They were Joy's hack in 4.1 (and part of 4.2),
> they're still a hack.

Why should ssh be necessary for anoncvs (i.e. what I assume to be an
anonymous, passwordless, open-to-the-public service)? Can session
hijacking be prevented by IPSEC? Does anyone actually use it?

______________________________________________________________________ 
Post your free ad now! http://personals.yahoo.ca