tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: rshd...

On 07/14/2012 11:18 PM, Lloyd Parkes wrote:
On 15/07/2012, at 8:49 AM, Anders Magnusson wrote:

On 07/14/2012 10:45 PM, Lloyd Parkes wrote:
On 15/07/2012, at 1:59 AM, Darren Reed wrote:

In doing test development for ipfilter, I've become aware of what I'd
consider to be a bug in rshd
Is there any way at all that anyone can justify shipping rshd and friends as 
part of NetBSD? The only justification I can think of would be if rsh can do 
host verification via Kerberos, but ssh could do that too with the appropriate 
patches. At least telnet is a useful network diagnostic tool. Hmm, if we 
stopped shipping telnetd, would anyone notice?

There are (still) lots of systems that only can use rsh to communicate that 
nothing can be done about.
You are going to have to name them because the reason I suggested this is that I can't 
think of any. Even Cisco routers speak ssh these days. Also, as with telnet, shipping the 
server component is separate from shipping the client. The servers could all be moved to 
pkgsrc. Possibly with a new category called "insecurity" so people know 
everything in there is a bad idea. ;-)
There are Windows applications that uses rsh to transfer data (to other systems).
I have worked with a data collector unit where data was fetched via rsh.
To do remote execution from Sintran systems you use rsh (probably not the most common case though)

...on ciscos you usually use tftp to transfer data, not rsh or ssh.

And telnetd is very useful in a kerberized environment.
sshd works fine with Kerberos. I threw away my RSA key pairs on my home systems 
years ago and turned on the ssh Kerberos options. It took a few goes to find 
the right options, and it works just fine. As I alluded to in my previous 
email, ssh doesn't support Kerberos host verification, but there are patches 
floating around the net for that, and the Mac OS X ssh has those patches (or 
equivalent) applied, so this would be ground breaking.

You still have to convince me (and probably tons of others) why using ssh is better than ktelnet.
I would say that they are different solutions for the same requirement.

-- Ragge

Home | Main Index | Thread Index | Old Index