Date: Fri, 22 Sep 2000 16:28:27 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: Warner Losh <imp@village.org> Cc: Neil Blakey-Milner <nbm@mithrandr.moria.org>, Lyndon Nerenberg <lyndon@orthanc.ab.ca>, freebsd-security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! Message-ID: <200009222328.e8MNSTF13435@cwsys.cwsent.com> In-Reply-To: Your message of "Fri, 22 Sep 2000 15:39:18 MDT." <200009222139.PAA71726@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <200009222139.PAA71726@harmony.village.org>, Warner Losh writes: > In message <20000922233318.A34189@mithrandr.moria.org> Neil Blakey-Milner wri > tes: > : Maybe you can give me some clue - why is rsh and login suid-root? Can > : they function without it? > > No. Well, the kerberos support works, but they need to be suid root > to bind to low ports. That's part of what makes the normal protcol so > lame. The other annoying thing about rsh/krsh is that rshd/kshd open a connection back to the client -- very firewall unfriendly. Not that one would want to allow these protocols across a firewall, however within our network we firewall our desktop systems from our production servers on our network, which themselves behind two other firewalls, to discourage developers and Oracle admins from connecting to our desktop systems. This is a layered onion approach to firewalls where each sysadmin's desktop is protected because of its ability to connect to production servers on our own network that normally cannot talk to each other, e.g. isolated from each other using firewalls or VLAN's, though our desktop systems can talk to each system on our raised floor. So my question is why the second TCP session between rshd/kshd and rsh/krsh? Is it for a full-duplex session? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009222328.e8MNSTF13435>