tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: rshd...



On 15/07/2012, at 8:43 PM, Anders Magnusson wrote:

> On 07/14/2012 11:18 PM, Lloyd Parkes wrote:
>> On 15/07/2012, at 8:49 AM, Anders Magnusson wrote:
>> 
>>> On 07/14/2012 10:45 PM, Lloyd Parkes wrote:
>>>> On 15/07/2012, at 1:59 AM, Darren Reed wrote:
>>>> 
>>>>> In doing test development for ipfilter, I've become aware of what I'd
>>>>> consider to be a bug in rshd
>>>> Is there any way at all that anyone can justify shipping rshd and friends 
>>>> as part of NetBSD? The only justification I can think of would be if rsh 
>>>> can do host verification via Kerberos, but ssh could do that too with the 
>>>> appropriate patches. At least telnet is a useful network diagnostic tool. 
>>>> Hmm, if we stopped shipping telnetd, would anyone notice?
>>>> 
>>> There are (still) lots of systems that only can use rsh to communicate that 
>>> nothing can be done about.
>> You are going to have to name them because the reason I suggested this is 
>> that I can't think of any. Even Cisco routers speak ssh these days. Also, as 
>> with telnet, shipping the server component is separate from shipping the 
>> client. The servers could all be moved to pkgsrc. Possibly with a new 
>> category called "insecurity" so people know everything in there is a bad 
>> idea. ;-)
> There are Windows applications that uses rsh to transfer data (to other 
> systems).
> I have worked with a data collector unit where data was fetched via rsh.
> To do remote execution from Sintran systems you use rsh (probably not the 
> most common case though)

That's why I think anything that is removed from base.tgz should go into 
pkgsrc. Just because we can do some housekeeping, doesn't mean everyone else 
will.

> You still have to convince me (and probably tons of others) why using ssh is 
> better than ktelnet.
> I would say that they are different solutions for the same requirement.

I run a kerberised ssh in order to get ssh flexibility with all the k goodness. 
I understand that ssh is neither a perfect answer, nor the only answer. I'm 
just scratching my head and realising that I haven't needed to use any of the r 
commands for over a decade.

Cheers,
Lloyd


Home | Main Index | Thread Index | Old Index