Subject: Re: CVS_RSH to ssh
To: NetBSD Userlevel Technical Discussion List <tech-userlevel@NetBSD.ORG>
From: Niels Provos <>
List: tech-userlevel
Date: 06/18/2003 00:29:39
On Wed, Jun 18, 2003 at 12:21:58AM -0400, Greg A. Woods wrote:
> I guess we'd better all stop using NFS on our private networks too,
> especially via UDP....  :-)
I completely agree with you.  Use AFS or NFSv4 with GSS-API.

> Hmmm.... maybe we should stop using all raw ICMP, UDP, and TCP and only
> use carefully configured and controlled IPSEC VPNs everywhere, but of
> course if we did that then we could go back to using RSH and TELNET and
> such again without fear, so just exactly what do you mean by "private
> network"?
It seems that you are exagerating slightly. However, in my opinion CVS
traffic is actually worthwhile protecting.  You don't want someone to
insert the backdoor in your read-only traffic that you commit later
into the repository.

And as such there is no reason to expose innocent users to potential
security problems by default.  If people want to shoot themselves
into their feet, they might as well export CVS_RSH=rsh and not
the other way around.