Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 22 Sep 2000 13:30:30 +0000
From:      Craig Cowen <craig@allmaui.com>
To:        "security@FreeBSD.ORG" <security@FreeBSD.ORG>
Subject:   Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so  special about freeBSD?)
Message-ID:  <39CB5EF6.61A6F958@allmaui.com>
References:  <200009221849.e8MInS116911@orthanc.ab.ca>

next in thread | previous in thread | raw e-mail | index | archive | help
Lyndon Nerenberg wrote:

> >>>>> "Brett" == Brett Glass <brett@lariat.org> writes:
>
>     Brett> It should not be. It sends passwords in the clear. This is
>     Brett> not acceptable on today's Internet.
>
> In certain situations. There is hardware (e.g. terminal servers, hubs) that
> speak only telnet for remote configuration, and will never support
> anything but telnet for remote configuration. Remote could mean it's three
> feet away but doesn't have a serial console. If these devices are accessed
> from secure LANs where packets can't be sniffed then telnet is a
> perfectly secure protocol in that context. In other cases, using
> telnet in it's default mode is just silly from a security standpoint.
>
> And you most certainly have options for securing telnet:
>
> RFC1411: Telnet Authentication: Kerberos Version 4
>
> RFC1416: Telnet Authentication Option
>
>          * defines authentication methods for Kerberos IV and 5, and
>            an RSA based mechanism, among others)
>
> RFC2289: A One-Time Password System
>
>          * Completely usable over telnet
>
> Also, I believe Chris Newman is working on a SASL authentication
> option for telnet.
>
> Note that FreeBSD supports Kerberized telnet if you've built with
> MAKE_KERBEROS4=yes (which also builds Kerberized rsh/rlogin).
>
> The correct solution is to make sure we support current authentication
> technologies where appropriate (ftp[d] lacks here as well), and provide
> knobs to disable/enable the individual authentication mechanisms, and
> ship with the insecure ones disabled. Simply throwing out a perfectly
> useful tool is absurd.
>
> --lyndon
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

IMHO getting rid of telnet is more of a pain than the procedures for securing
a box.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39CB5EF6.61A6F958>