Date: Tue, 10 Oct 2000 09:20:50 -0700 (PDT) From: Matt Dillon <dillon@earth.backplane.com> To: Poul-Henning Kamp <phk@critter.freebsd.dk> Cc: Robert Watson <rwatson@FreeBSD.ORG>, Kris Kennaway <kris@citusc.usc.edu>, Terry Lambert <tlambert@primenet.com>, arch@FreeBSD.ORG, Warner Losh <imp@village.org>, Jeroen Ruigrok van der Werven <jruigrok@via-net-works.nl> Subject: Re: cvs commit: src/etc inetd.conf Message-ID: <200010101620.e9AGKoo13270@earth.backplane.com> References: <72356.971193482@critter>
next in thread | previous in thread | raw e-mail | index | archive | help
:
:In message <Pine.NEB.3.96L.1001010095155.90573M-100000@fledge.watson.org>, Robe
:rt Watson writes:
:>
:>On Mon, 9 Oct 2000, Kris Kennaway wrote:
:>
:>> On Tue, Oct 10, 2000 at 02:11:11AM +0000, Terry Lambert wrote:
:>> > > > > Do any committers have any objections to me disabling ntalk, finger,
:>> > > > > telnet, rsh, and ftp by default in -current? And sandboxing 'named' by
:>> > > > > default in -current?
:>> >
:>> > Won't this make it difficult to bootstrap a headless 1U box?
:>>
:>> The point, which many people in this discussion somehow keep missing,
:>> is that when you do a default installation of recent versions of
:>> FreeBSD, the machine reboots with ssh enabled and working.
:>
:>As I pointed out earlier, there needs to be a way for the administrator to
:>securely retrieve the SSH key so that they can log in securely.
:
:And as I pointed out earlier: having ssh doesn't help people who have
:only a windows box to connect from.
:
:--
:Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
:phk@FreeBSD.ORG | TCP/IP since RFC 956
I'm pretty sure there are at least two windows-based packages that
work with ssh, FSecure is one of them.
I don't see much of a point trying to restrict ourselves to the lowest
common denominator - some joe sysadmin who isn't willing to run unix on
a laptop or who isn't willing to buy a single program for windows to
access a machine securely.
Setting up ssh on a rackmount FreeBSD box is trivial. It's actually
easier to do then setting up telnet. For example, in order to get
initial access to the box from the console one can simply download and
run a simple script which pulls the public key to be used for root's
authorized_keys file into ~root/.ssh/authorized_keys. Bang, you now
have secure access to the machine. This is a whole lot better then
pulling an encrypted password over the net to populate master.passwd
in order to be able to telnet in, and also a whole lot better then
telling everyone and his grandmother the root password so they can login
via telnet.
I was this to initialize rack mount boxes at BEST four years ago. I
had a little boot floppy which would copy the system via NFS, including
~root and its authorized_keys file. I had the private key softlinked
from another partition so it wasn't accessible via NFS. You stick the
floppy in, and 10 minutes later you had a complete system installed
on the rack mount box including security and access elements.
Nobody is saying we should remove these programs, only that they
should not be turned on by default. They should be commented out
in inetd.conf (like everything else in inetd.conf) so the machine
isn't poked full of holes when someone turns inetd on without looking
at inetd.conf. I can't imagine why anyone would do that, I guess
the world is full of bozos. None of the arguments Jordan or Poul
are making make any sense to me. What they are saying to me is basically
that they aren't willing to require that joe sysop be bothered with
lifting just his little finger to configure a FreeBSD box.
-Matt
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010101620.e9AGKoo13270>