From owner-freebsd-security Thu Mar 25 1: 6:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id A43FF1514A for ; Thu, 25 Mar 1999 01:06:18 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id BAA95946; Thu, 25 Mar 1999 01:05:58 -0800 (PST) (envelope-from dillon) Date: Thu, 25 Mar 1999 01:05:58 -0800 (PST) From: Matthew Dillon Message-Id: <199903250905.BAA95946@apollo.backplane.com> To: Mike Thompson Cc: Gary Gaskell , freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH References: <199903250426.UAA68023@apollo.backplane.com> <4.1.19990324234311.00a0eba0@mail.dnai.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :The general concensus seems to be that rsh and like tools can be easily :hacked, kerberos or no kerberos. : :Thanks again, Well, for rsh or telnet configured for kerberos-only operation, it's reasonably safe. The one problem with this is that kerberos defaults to disabling encryption ... you have to explicitly enable it. In general, the biggest security hole with standard tools such as ftp, rsh, telnet, and rlogin ( non-kerberos ) is that they pass plaintext and both initial passwords and passwords passed later on are vulnerable to interception. With kerberos and no encryption by default, these tools are still vulnerable. You can get into the account just fine without exposing a password, but once in the account if you need to type a password of any sort in to do something else, *that* password is vulnerable to interception. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message