At 23:26 -0700 5/27/00, Hal Murray wrote:
>I think a web page discussing the issues would be more valuable.
>Does one exist already?  (I don't remember finding one, but I haven't
>looked carefully recently.)

http://www.clock.org/~fair/opinion/ip-address-trust.html

At 23:57 -0700 5/27/00, Greg A. Woods wrote:
>[passwords in the clear suck; turn off telnetd and ftpd too]

All these protocols suck unless you have IP security in transport 
mode using ESP (AH is not sufficient). However, for telnet and ftp, 
at least you have to give a password. The rhosts mechanism is totally 
insecure in its current incarnation. We could reasonably turn it on 
again if a hook to test for IPsec/ESP was added as a requirement to 
accept authentication.

>In fact given the availability of sniffing tools it's actually a lot
>"safer" to use rsh, rcp, and rlogin internally with ~/.rhosts than it is
>to use telnet and ftp.  Your local colleagues are less likely to play
>ARP and TCP spoofing games than they are to just sniff for your
>password (or any other password you may type! ;-).

False. All an attacker has to do to get in via r* is prevent your 
host from transmitting anything (i.e. crash it or muzzle it with a 
DoS), and then pretend to be you! This is how Kevin Mitnick attacked 
Tsutomu Shimomura's machines, totally remotely. No password sniffing 
or physical access required. (OK, there was some TCP sequence number 
guessing in there too).

>BTW, that reminds me:  What do people who don't 100% trust their local
>network neighbours do when they only have an X11 terminal on their desk
>and they need to type a sensitive password (eg. typing the root password
>to "su" through an xterm process running on a local server)?

That's easy - replace all your 10base-T hubs (and thinnet) with 
switches. Can't sniff what you can't see. 8-port 10/100 FDX switches 
are around $100 now.

	Erik <fair@clock.org>