tech-security archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: rshd...
On 07/14/2012 11:18 PM, Lloyd Parkes wrote:
On 15/07/2012, at 8:49 AM, Anders Magnusson wrote:
On 07/14/2012 10:45 PM, Lloyd Parkes wrote:
On 15/07/2012, at 1:59 AM, Darren Reed wrote:
In doing test development for ipfilter, I've become aware of what I'd
consider to be a bug in rshd
Is there any way at all that anyone can justify shipping rshd and friends as
part of NetBSD? The only justification I can think of would be if rsh can do
host verification via Kerberos, but ssh could do that too with the appropriate
patches. At least telnet is a useful network diagnostic tool. Hmm, if we
stopped shipping telnetd, would anyone notice?
There are (still) lots of systems that only can use rsh to communicate that
nothing can be done about.
You are going to have to name them because the reason I suggested this is that I can't
think of any. Even Cisco routers speak ssh these days. Also, as with telnet, shipping the
server component is separate from shipping the client. The servers could all be moved to
pkgsrc. Possibly with a new category called "insecurity" so people know
everything in there is a bad idea. ;-)
There are Windows applications that uses rsh to transfer data (to other
systems).
I have worked with a data collector unit where data was fetched via rsh.
To do remote execution from Sintran systems you use rsh (probably not
the most common case though)
...on ciscos you usually use tftp to transfer data, not rsh or ssh.
And telnetd is very useful in a kerberized environment.
sshd works fine with Kerberos. I threw away my RSA key pairs on my home systems
years ago and turned on the ssh Kerberos options. It took a few goes to find
the right options, and it works just fine. As I alluded to in my previous
email, ssh doesn't support Kerberos host verification, but there are patches
floating around the net for that, and the Mac OS X ssh has those patches (or
equivalent) applied, so this would be ground breaking.
You still have to convince me (and probably tons of others) why using
ssh is better than ktelnet.
I would say that they are different solutions for the same requirement.
-- Ragge
Home |
Main Index |
Thread Index |
Old Index