From owner-svn-src-all@FreeBSD.ORG  Thu Mar  5 15:11:46 2015
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id A36B995C;
 Thu,  5 Mar 2015 15:11:46 +0000 (UTC)
Received: from mail-wi0-x22c.google.com (mail-wi0-x22c.google.com
 [IPv6:2a00:1450:400c:c05::22c])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 2D5EB3F3;
 Thu,  5 Mar 2015 15:11:46 +0000 (UTC)
Received: by widem10 with SMTP id em10so36873182wid.0;
 Thu, 05 Mar 2015 07:11:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=gVTTTFBL/f3iUo3jCm3xx9+8EbwTcJGg0l7sDb5yF2w=;
 b=FJ03lVWM5wd2NC5YzgnFCHl3o+zCOEueSWIWhm0SLkPpUGkJlW/uHRfbtU7qVQyIk7
 bX/RzMtoAeAWK57TWhEm6ZgcjYW0hv5/NeoIKkuNWI0gGwTEjccSnz8Uxfa4NFZHHwha
 Igw8UjBouywUBLJDi5Sw1gt9gw+DXglxReMDJrxj/HJV+iTmEKMgJ3A7MHhhuDczmkqS
 VxFgeAz8qILHhz89tIAIVEz10GjiCyeRr1qknkQM9XH0HqvFSnRTaeTfHkNkbRescKBz
 ATHMYpSffWShgHBf+B/oNDMroNeo0P6Rh2MBNtb2mp9C3caEXII1hpmaJhmj7PxZMEkg
 x4dg==
MIME-Version: 1.0
X-Received: by 10.194.234.40 with SMTP id ub8mr19919361wjc.100.1425568303648; 
 Thu, 05 Mar 2015 07:11:43 -0800 (PST)
Received: by 10.27.77.215 with HTTP; Thu, 5 Mar 2015 07:11:43 -0800 (PST)
In-Reply-To: <20150305144056.GY48476@zxy.spb.ru>
References: <20150305122103.GA90978@zxy.spb.ru>
 <20150305122359.GM17947@FreeBSD.org>
 <20150305123016.GO48476@zxy.spb.ru>
 <20150305123053.GN17947@FreeBSD.org>
 <20150305123349.GP48476@zxy.spb.ru>
 <20150305123548.GO17947@FreeBSD.org>
 <48981079-C9B7-411D-87A3-5A8F04924314@FreeBSD.org>
 <AEB33C6A-8824-4345-81E1-95280AB20CFA@FreeBSD.org>
 <20150305141334.GX48476@zxy.spb.ru>
 <63BD8258-D2C9-4C94-8A54-63AA104871D9@FreeBSD.org>
 <20150305144056.GY48476@zxy.spb.ru>
Date: Thu, 5 Mar 2015 10:11:43 -0500
Message-ID: <CAJ5_RoBk=5C2+Mktu_ODc7C+NraUhiSprtKd-=3bj+b5UPT_1g@mail.gmail.com>
Subject: Re: svn commit: r279603 - in head: bin/rcp usr.bin/rlogin usr.bin/rsh
From: Benjamin Kaduk <bjkfbsd@gmail.com>
To: Slawa Olhovchenkov <slw@zxy.spb.ru>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
Cc: "svn-src-head@freebsd.org" <svn-src-head@freebsd.org>,
 "svn-src-all@freebsd.org" <svn-src-all@freebsd.org>,
 "src-committers@freebsd.org" <src-committers@freebsd.org>
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2015 15:11:46 -0000

On Thu, Mar 5, 2015 at 9:40 AM, Slawa Olhovchenkov <slw@zxy.spb.ru> wrote:

> On Thu, Mar 05, 2015 at 02:20:59PM +0000, David Chisnall wrote:
>
> > Does telnet come with a massive selection of options for insecure login
> / authentication?  Yes.
>
> This is may right to use or not to use secure or not secure login /
> authentication.
> Also, I am use telnet login for check kerberos authentication (ssh
> kerberos authentication (SSO) broken 10 years ago. nobody care).
>

Other people are covering the rest of the issues, so I will cover just this
one point.

telnet with kerberos authentication was broken 15 years ago, by the EFF's
Deep Crack and its successors.  Kerberized telnet supports only DES, which
has not been secure for a long time.  The last I heard, $50 would buy you a
DES key brute-force with a day turnaround.

Speaking as an upstream maintainer: don't use kerberized telnet.

I use kerberized ssh all the time; please tell me more about how it is
broken (a new thread would be best).

-Ben Kaduk