Date: Thu, 24 Aug 2000 15:44:08 -0500 From: "Gooderum, Mark" <mark@JUMPWEB.COM> To: freebsd-stable@FreeBSD.ORG Subject: RE: nuking "unsafe" protocols (was Re: Upcoming rc.conf changes n ot loading certain currently loaded daemons) Message-ID: <251BF6012D6B4A49A4109B1C3289A7B5BB78@purgatory.jumpweb.com>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C00E0C.0CA87D07 Content-Type: text/plain; charset="iso-8859-1" > >Does it avoid using rcmd/rsh? > > Yes; it uses its own protocol. (It can use .rhosts for > "authentication", but current versions default to using a > separate file, .amandahosts for that. It also uses its own UDP & TCP ports.) But amanda works by "trusting" the source IP/Port of the connection the same way rsh/rcmd do via .rhosts/hosts.equiv. So it's no more or less secure... Fundamentally in the normal out of box Unix you either are or aren't working in a trusted environment. For most of us I think you are. If you're on a wire that controls the machines and trust the users then things like rxxx are okay. Ff your box is on the internet or the campus CS lab wire, you're generally not. Anyway, by default, .rhosts and hosts.equiv are empty and therefor having rshd enabled isn't any risk beyond cleartext passwords on the wire (which also can't be sniffed w/o root if you have a "trusted" wire). FreeBSD (and almost _every_ other OS and Unix in fairness) out of the box isn't in shape to hang out bare on the Internet and just disabling telnet and rsh doesn't make it so. Also, most ISPs and companies _still_ don't have things like SSL support for POP or IMAP, so ending telnet and rsh cleartext PW's on the wire does little to really secure things since most of us use the same password everywhere. Not saying it's the right security answer, but user reality is just that. Interoperability is critical and although ssh has found its way into FreeBSD 4.1 as standard, it certainly isn't standard on Windows or most other Unixen and other OSes. Unless somebody wants to bite the bullet (and I for one am _not_ interested in trying) and write a "lockdown_freebsd" script that enables ipfw or ipfilter with some reasonable defaults, turns off various insecure services (including NFS...more implicit trust and/or cleartext PW's via pcnfsd) then just blindly disabling rsh/telnet does little to really impove the security of the box and does a lot to increase the confusion of the user and increase the amount of manual configuration the _average_ user needs to make the box function in the _average_ environment. -- Mark Gooderum mark@jumpweb.com ------_=_NextPart_001_01C00E0C.0CA87D07 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2650.12"> <TITLE>RE: nuking "unsafe" protocols (was Re: Upcoming = rc.conf changes not loading certain currently loaded daemons)</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>> >Does it avoid using rcmd/rsh?</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Yes; it uses its own protocol. (It can = use .rhosts for</FONT> <BR><FONT SIZE=3D2>> "authentication", but current = versions default to using a </FONT> <BR><FONT SIZE=3D2>> separate file, .amandahosts for that. It = also uses its own UDP & TCP ports.)</FONT> </P> <P><FONT SIZE=3D2>But amanda works by "trusting" the source = IP/Port of the connection the same way rsh/rcmd do via = .rhosts/hosts.equiv. So it's no more or less = secure...</FONT></P> <P><FONT SIZE=3D2>Fundamentally in the normal out of box Unix you = either are or aren't working in a trusted environment. For most = of us I think you are. If you're on a wire that controls the = machines and trust the users then things like rxxx are okay. Ff = your box is on the internet or the campus CS lab wire, you're generally = not. Anyway, by default, .rhosts and hosts.equiv are empty and = therefor having rshd enabled isn't any risk beyond cleartext passwords = on the wire (which also can't be sniffed w/o root if you have a = "trusted" wire). FreeBSD (and almost _every_ other OS = and Unix in fairness) out of the box isn't in shape to hang out bare on = the Internet and just disabling telnet and rsh doesn't make it = so. Also, most ISPs and companies _still_ don't have things like = SSL support for POP or IMAP, so ending telnet and rsh cleartext PW's on = the wire does little to really secure things since most of us use the = same password everywhere. Not saying it's the right security = answer, but user reality is just that.</FONT></P> <P><FONT SIZE=3D2>Interoperability is critical and although ssh has = found its way into FreeBSD 4.1 as standard, it certainly isn't standard = on Windows or most other Unixen and other OSes. Unless somebody = wants to bite the bullet (and I for one am _not_ interested in trying) = and write a "lockdown_freebsd" script that enables ipfw or = ipfilter with some reasonable defaults, turns off various insecure = services (including NFS...more implicit trust and/or cleartext PW's via = pcnfsd) then just blindly disabling rsh/telnet does little to really = impove the security of the box and does a lot to increase the confusion = of the user and increase the amount of manual configuration the = _average_ user needs to make the box function in the _average_ = environment.</FONT></P> <P><FONT SIZE=3D2>--</FONT> <BR><FONT SIZE=3D2>Mark Gooderum</FONT> <BR><FONT SIZE=3D2>mark@jumpweb.com</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C00E0C.0CA87D07-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?251BF6012D6B4A49A4109B1C3289A7B5BB78>