From owner-freebsd-security Fri Sep 22 13:27: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from scl-ims.phoenix.com (scl-ims.phoenix.com [134.122.1.73]) by hub.freebsd.org (Postfix) with ESMTP id 21EC737B423 for ; Fri, 22 Sep 2000 13:26:57 -0700 (PDT) Received: from allmaui.com (boxster.phoenix.com [134.122.9.179]) by scl-ims.phoenix.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id TB51ZLBW; Fri, 22 Sep 2000 13:26:51 -0700 Message-ID: <39CB5EF6.61A6F958@allmaui.com> Date: Fri, 22 Sep 2000 13:30:30 +0000 From: Craig Cowen X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: "security@FreeBSD.ORG" Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) References: <200009221849.e8MInS116911@orthanc.ab.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lyndon Nerenberg wrote: > >>>>> "Brett" == Brett Glass writes: > > Brett> It should not be. It sends passwords in the clear. This is > Brett> not acceptable on today's Internet. > > In certain situations. There is hardware (e.g. terminal servers, hubs) that > speak only telnet for remote configuration, and will never support > anything but telnet for remote configuration. Remote could mean it's three > feet away but doesn't have a serial console. If these devices are accessed > from secure LANs where packets can't be sniffed then telnet is a > perfectly secure protocol in that context. In other cases, using > telnet in it's default mode is just silly from a security standpoint. > > And you most certainly have options for securing telnet: > > RFC1411: Telnet Authentication: Kerberos Version 4 > > RFC1416: Telnet Authentication Option > > * defines authentication methods for Kerberos IV and 5, and > an RSA based mechanism, among others) > > RFC2289: A One-Time Password System > > * Completely usable over telnet > > Also, I believe Chris Newman is working on a SASL authentication > option for telnet. > > Note that FreeBSD supports Kerberized telnet if you've built with > MAKE_KERBEROS4=yes (which also builds Kerberized rsh/rlogin). > > The correct solution is to make sure we support current authentication > technologies where appropriate (ftp[d] lacks here as well), and provide > knobs to disable/enable the individual authentication mechanisms, and > ship with the insecure ones disabled. Simply throwing out a perfectly > useful tool is absurd. > > --lyndon > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message IMHO getting rid of telnet is more of a pain than the procedures for securing a box. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message