From owner-freebsd-security  Fri Sep 22 13:19:41 2000
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.org (lariat.org [12.23.109.2])
	by hub.freebsd.org (Postfix) with ESMTP id 5C0D537B423
	for <security@FreeBSD.ORG>; Fri, 22 Sep 2000 13:19:34 -0700 (PDT)
Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2])
	by lariat.org (8.9.3/8.9.3) with ESMTP id OAA10434;
	Fri, 22 Sep 2000 14:19:22 -0600 (MDT)
Message-Id: <4.3.2.7.2.20000922141517.00ddf570@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Fri, 22 Sep 2000 14:19:16 -0600
To: Lyndon Nerenberg <lyndon@orthanc.ab.ca>
From: Brett Glass <brett@lariat.org>
Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats
  so special about freeBSD?) 
Cc: security@FreeBSD.ORG
In-Reply-To: <200009221849.e8MInS116911@orthanc.ab.ca>
References: <Your message of "Fri, 22 Sep 2000 12:11:25 MDT." <4.3.2.7.2.20000922120415.00c7bdc0@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 12:49 PM 9/22/2000, Lyndon Nerenberg wrote:
  
>>>>>> "Brett" == Brett Glass <brett@lariat.org> writes:
>
>    Brett> It should not be. It sends passwords in the clear. This is
>    Brett> not acceptable on today's Internet.
>
>In certain situations. There is hardware (e.g. terminal servers, hubs) that
>speak only telnet for remote configuration, and will never support
>anything but telnet for remote configuration. Remote could mean it's three 
>feet away but doesn't have a serial console. If these devices are accessed
>from secure LANs where packets can't be sniffed then telnet is a
>perfectly secure protocol in that context. In other cases, using
>telnet in it's default mode is just silly from a security standpoint.

These are special cases, though! I think that you will agree that by default, 
on FreeBSD (as opposed to hubs, etc.), we should leave telnetd off. (The telnet
application, on the other hand, might be run under certain circumstances.)

As for authentication: Kerberos, S/key, etc. are useful if one must use
Telnet. But they're a lot harder to set up and use than SSH! (In the case 
of Kerberos, *much* harder.)

--Brett



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message