From owner-svn-src-head@FreeBSD.ORG  Thu Mar  5 15:17:36 2015
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 70975B9F;
 Thu,  5 Mar 2015 15:17:36 +0000 (UTC)
Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 215F76D1;
 Thu,  5 Mar 2015 15:17:36 +0000 (UTC)
Received: from slw by zxy.spb.ru with local (Exim 4.84 (FreeBSD))
 (envelope-from <slw@zxy.spb.ru>)
 id 1YTXWm-00025w-FG; Thu, 05 Mar 2015 18:17:32 +0300
Date: Thu, 5 Mar 2015 18:17:32 +0300
From: Slawa Olhovchenkov <slw@zxy.spb.ru>
To: Benjamin Kaduk <bjkfbsd@gmail.com>
Subject: Re: svn commit: r279603 - in head: bin/rcp usr.bin/rlogin usr.bin/rsh
Message-ID: <20150305151732.GA48476@zxy.spb.ru>
References: <20150305123016.GO48476@zxy.spb.ru>
 <20150305123053.GN17947@FreeBSD.org>
 <20150305123349.GP48476@zxy.spb.ru>
 <20150305123548.GO17947@FreeBSD.org>
 <48981079-C9B7-411D-87A3-5A8F04924314@FreeBSD.org>
 <AEB33C6A-8824-4345-81E1-95280AB20CFA@FreeBSD.org>
 <20150305141334.GX48476@zxy.spb.ru>
 <63BD8258-D2C9-4C94-8A54-63AA104871D9@FreeBSD.org>
 <20150305144056.GY48476@zxy.spb.ru>
 <CAJ5_RoBk=5C2+Mktu_ODc7C+NraUhiSprtKd-=3bj+b5UPT_1g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAJ5_RoBk=5C2+Mktu_ODc7C+NraUhiSprtKd-=3bj+b5UPT_1g@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: slw@zxy.spb.ru
X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false
Cc: "svn-src-head@freebsd.org" <svn-src-head@freebsd.org>,
 "svn-src-all@freebsd.org" <svn-src-all@freebsd.org>,
 "src-committers@freebsd.org" <src-committers@freebsd.org>
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2015 15:17:36 -0000

On Thu, Mar 05, 2015 at 10:11:43AM -0500, Benjamin Kaduk wrote:

> On Thu, Mar 5, 2015 at 9:40 AM, Slawa Olhovchenkov <slw@zxy.spb.ru> wrote:
> 
> > On Thu, Mar 05, 2015 at 02:20:59PM +0000, David Chisnall wrote:
> >
> > > Does telnet come with a massive selection of options for insecure login
> > / authentication?  Yes.
> >
> > This is may right to use or not to use secure or not secure login /
> > authentication.
> > Also, I am use telnet login for check kerberos authentication (ssh
> > kerberos authentication (SSO) broken 10 years ago. nobody care).
> >
> 
> Other people are covering the rest of the issues, so I will cover just this
> one point.
> 
> telnet with kerberos authentication was broken 15 years ago, by the EFF's
> Deep Crack and its successors.  Kerberized telnet supports only DES, which
> has not been secure for a long time.  The last I heard, $50 would buy you a
> DES key brute-force with a day turnaround.
> 
> Speaking as an upstream maintainer: don't use kerberized telnet.

I am use this for test kerberos setup (check all setup correctly).

> I use kerberized ssh all the time; please tell me more about how it is
> broken (a new thread would be best).

kerberized ssh broken in SSO mode: you can't do ssh login to
kerberized host (from outside world), input kerberos password and use
kerberos ticket.
This is issuse between PAM and ssh thread emulation.