> On an internal network, authentication is often the only piece desired.
> It gets around the security holes in rsh-type mechanisms, and avoids
> problems like IP spoofing, etc.  But the data itself is often wide open
> anyway, so you don't need to encrypt it.

Huh?  On an internal network rsh alone (with proper forward and reverse
DNS authoritatively loaded on all the relevant nameservers), with
~/.rhosts if you're worried about people sniffing passwords, is usually
secure enough, at least so long as you have port security on all your
hubs & switches (locked down MACs, and arpwatch or something like it to
audit IP to MAC assignments).

If you're going to use something like SSH for authentication and
authorisation then you need to use strong crypto on the data channels
too, as otherwise you may as well just use anonymous logins because they
would actually be more secure (no threat of theft of identity!).

If you're going to trust the integrity of your TCP/IP connections then
DNS-based host authentication, and ~/.rhosts based user authentication,
is probably sufficient (though maybe a proper Kerberos would be a bit
better, assuming its added complexity doesn't cancel its advantages).

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods@acm.org>;  <g.a.woods@ieee.org>;  <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>