From owner-freebsd-arch Tue Oct 10 9:23:11 2000 Delivered-To: freebsd-arch@freebsd.org Received: from earth.backplane.com (placeholder-dcat-1076843290.broadbandoffice.net [64.47.83.26]) by hub.freebsd.org (Postfix) with ESMTP id 1C57737B503; Tue, 10 Oct 2000 09:23:08 -0700 (PDT) Received: (from dillon@localhost) by earth.backplane.com (8.11.0/8.9.3) id e9AGKoo13270; Tue, 10 Oct 2000 09:20:50 -0700 (PDT) (envelope-from dillon) Date: Tue, 10 Oct 2000 09:20:50 -0700 (PDT) From: Matt Dillon Message-Id: <200010101620.e9AGKoo13270@earth.backplane.com> To: Poul-Henning Kamp Cc: Robert Watson , Kris Kennaway , Terry Lambert , arch@FreeBSD.ORG, Warner Losh , Jeroen Ruigrok van der Werven Subject: Re: cvs commit: src/etc inetd.conf References: <72356.971193482@critter> Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG : :In message , Robe :rt Watson writes: :> :>On Mon, 9 Oct 2000, Kris Kennaway wrote: :> :>> On Tue, Oct 10, 2000 at 02:11:11AM +0000, Terry Lambert wrote: :>> > > > > Do any committers have any objections to me disabling ntalk, finger, :>> > > > > telnet, rsh, and ftp by default in -current? And sandboxing 'named' by :>> > > > > default in -current? :>> > :>> > Won't this make it difficult to bootstrap a headless 1U box? :>> :>> The point, which many people in this discussion somehow keep missing, :>> is that when you do a default installation of recent versions of :>> FreeBSD, the machine reboots with ssh enabled and working. :> :>As I pointed out earlier, there needs to be a way for the administrator to :>securely retrieve the SSH key so that they can log in securely. : :And as I pointed out earlier: having ssh doesn't help people who have :only a windows box to connect from. : :-- :Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 :phk@FreeBSD.ORG | TCP/IP since RFC 956 I'm pretty sure there are at least two windows-based packages that work with ssh, FSecure is one of them. I don't see much of a point trying to restrict ourselves to the lowest common denominator - some joe sysadmin who isn't willing to run unix on a laptop or who isn't willing to buy a single program for windows to access a machine securely. Setting up ssh on a rackmount FreeBSD box is trivial. It's actually easier to do then setting up telnet. For example, in order to get initial access to the box from the console one can simply download and run a simple script which pulls the public key to be used for root's authorized_keys file into ~root/.ssh/authorized_keys. Bang, you now have secure access to the machine. This is a whole lot better then pulling an encrypted password over the net to populate master.passwd in order to be able to telnet in, and also a whole lot better then telling everyone and his grandmother the root password so they can login via telnet. I was this to initialize rack mount boxes at BEST four years ago. I had a little boot floppy which would copy the system via NFS, including ~root and its authorized_keys file. I had the private key softlinked from another partition so it wasn't accessible via NFS. You stick the floppy in, and 10 minutes later you had a complete system installed on the rack mount box including security and access elements. Nobody is saying we should remove these programs, only that they should not be turned on by default. They should be commented out in inetd.conf (like everything else in inetd.conf) so the machine isn't poked full of holes when someone turns inetd on without looking at inetd.conf. I can't imagine why anyone would do that, I guess the world is full of bozos. None of the arguments Jordan or Poul are making make any sense to me. What they are saying to me is basically that they aren't willing to require that joe sysop be bothered with lifting just his little finger to configure a FreeBSD box. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message