Subject: Re: Policy questions
To: Jason Thorpe <firstname.lastname@example.org>
From: Greywolf <email@example.com>
Date: 12/30/2003 14:21:14
Thus spake Jason Thorpe ("JT> ") sometime Yesterday...
JT> > I think we should keep the r* commands because people use them and I
JT> > believe in supplying rope, but I think that anyone who uses them in
JT> > the belief that some part of their network is "private" and thereby
JT> > secure is setting themselves up for a nasty surprise.
JT> It is easy to set up completely private networks, that have no
JT> connection to an outside world, with no way to connect to that network
JT> except by having physical access to it.
JT> Such networks are perfect candidates for the r* commands.
How about this scenario:
FW/Router cannot use ipv6.
No ipv6 tunneling through ipv4.
Connectivity to main host in DMZ thru firewall/router is ssh only.
If the rcmds are enabled on ipv6 only, does this, by and large,
mitigate the security risk to the extent that ssh has holes?
NetBSD: the Berkeley redemption.