Date: Fri, 22 Sep 2000 14:19:16 -0600 From: Brett Glass <brett@lariat.org> To: Lyndon Nerenberg <lyndon@orthanc.ab.ca> Cc: security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Message-ID: <4.3.2.7.2.20000922141517.00ddf570@localhost> In-Reply-To: <200009221849.e8MInS116911@orthanc.ab.ca> References: <Your message of "Fri, 22 Sep 2000 12:11:25 MDT." <4.3.2.7.2.20000922120415.00c7bdc0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
At 12:49 PM 9/22/2000, Lyndon Nerenberg wrote: >>>>>> "Brett" == Brett Glass <brett@lariat.org> writes: > > Brett> It should not be. It sends passwords in the clear. This is > Brett> not acceptable on today's Internet. > >In certain situations. There is hardware (e.g. terminal servers, hubs) that >speak only telnet for remote configuration, and will never support >anything but telnet for remote configuration. Remote could mean it's three >feet away but doesn't have a serial console. If these devices are accessed >from secure LANs where packets can't be sniffed then telnet is a >perfectly secure protocol in that context. In other cases, using >telnet in it's default mode is just silly from a security standpoint. These are special cases, though! I think that you will agree that by default, on FreeBSD (as opposed to hubs, etc.), we should leave telnetd off. (The telnet application, on the other hand, might be run under certain circumstances.) As for authentication: Kerberos, S/key, etc. are useful if one must use Telnet. But they're a lot harder to set up and use than SSH! (In the case of Kerberos, *much* harder.) --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20000922141517.00ddf570>