Subject: Re: Policy questions
To: Jason Thorpe <>
From: Greywolf <>
List: tech-userlevel
Date: 12/30/2003 14:21:14
Thus spake Jason Thorpe ("JT> ") sometime Yesterday...

JT> > I think we should keep the r* commands because people use them and I
JT> > believe in supplying rope, but I think that anyone who uses them in
JT> > the belief that some part of their network is "private" and thereby
JT> > secure is setting themselves up for a nasty surprise.
JT> It is easy to set up completely private networks, that have no
JT> connection to an outside world, with no way to connect to that network
JT> except by having physical access to it.
JT> Such networks are perfect candidates for the r* commands.

How about this scenario:

FW/Router cannot use ipv6.
No ipv6 tunneling through ipv4.
Connectivity to main host in DMZ thru firewall/router is ssh only.

If the rcmds are enabled on ipv6 only, does this, by and large,
mitigate the security risk to the extent that ssh has holes?

NetBSD: the Berkeley redemption.