tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: rshd...

On 15/07/2012, at 8:49 AM, Anders Magnusson wrote:

> On 07/14/2012 10:45 PM, Lloyd Parkes wrote:
>> On 15/07/2012, at 1:59 AM, Darren Reed wrote:
>>> In doing test development for ipfilter, I've become aware of what I'd
>>> consider to be a bug in rshd
>> Is there any way at all that anyone can justify shipping rshd and friends as 
>> part of NetBSD? The only justification I can think of would be if rsh can do 
>> host verification via Kerberos, but ssh could do that too with the 
>> appropriate patches. At least telnet is a useful network diagnostic tool. 
>> Hmm, if we stopped shipping telnetd, would anyone notice?
> There are (still) lots of systems that only can use rsh to communicate that 
> nothing can be done about.

You are going to have to name them because the reason I suggested this is that 
I can't think of any. Even Cisco routers speak ssh these days. Also, as with 
telnet, shipping the server component is separate from shipping the client. The 
servers could all be moved to pkgsrc. Possibly with a new category called 
"insecurity" so people know everything in there is a bad idea. ;-)

> And telnetd is very useful in a kerberized environment.

sshd works fine with Kerberos. I threw away my RSA key pairs on my home systems 
years ago and turned on the ssh Kerberos options. It took a few goes to find 
the right options, and it works just fine. As I alluded to in my previous 
email, ssh doesn't support Kerberos host verification, but there are patches 
floating around the net for that, and the Mac OS X ssh has those patches (or 
equivalent) applied, so this would be ground breaking.


Home | Main Index | Thread Index | Old Index