From owner-cvs-all Sun Oct 8 22:14:16 2000 Delivered-To: cvs-all@freebsd.org Received: from winston.osd.bsdi.com (winston.osd.bsdi.com [204.216.27.229]) by hub.freebsd.org (Postfix) with ESMTP id A6DE737B66C; Sun, 8 Oct 2000 22:14:10 -0700 (PDT) Received: from winston.osd.bsdi.com (jkh@localhost [127.0.0.1]) by winston.osd.bsdi.com (8.11.0/8.9.3) with ESMTP id e995DVX00525; Sun, 8 Oct 2000 22:13:31 -0700 (PDT) (envelope-from jkh@winston.osd.bsdi.com) To: Matt Dillon Cc: Warner Losh , Jeroen Ruigrok van der Werven , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/etc inetd.conf In-Reply-To: Message from Matt Dillon of "Sun, 08 Oct 2000 12:56:19 PDT." <200010081956.e98JuJB00920@earth.backplane.com> Date: Sun, 08 Oct 2000 22:13:31 -0700 Message-ID: <521.971068411@winston.osd.bsdi.com> From: Jordan Hubbard Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > We're kinda in a 'changing of the guard' situation in regards to > telnet, rsh, rcp, rlogin, verses ssh. And we have been for about a > year. The only thing holding the process up has been the patent issue > and that is now gone. I have to disagree on telnet, as much as I happen to also dislike telnet. Picture the following scenario: You're working at a data center setting up a dozen boxes in a rack and they are not as of yet on any public network, they're simply hooked to a hub/switch and can talk to one another and the windows laptop you have with you (since all the really colorful network sniff/trace software works under windows). You'd like to sit in the corner and use the laptop to log into each box to further configure it, and let's further say that your laptop just got Windows last week and is a pretty stock install. In the sterner new world you're describing, a whole bunch of extra work is now required to go find another network at that data center which talks to the outside so that something like putty can be located, downloaded and intalled onto the Windows laptop so that it can talk to these boxes by default at all. Either that or you need to physically get to each box and turn telnetd back on again before you can log in. It seems like it's making things more complex than they need to be for an out-of-box configuration. If Windows and Macintosh boxes supported ssh clients out of the box, perhaps I'd feel differently. - Jordan > > 'finger' is also reaching the end of its life cycle, as more and more > people move towards personal machines and away from university campus / > ISP style shell boxes... and have web sites rather then logins. Finger, > at least, is so simple that it can be thought of as secure, and is also > sandboxed (the last root hole for finger was discovered in the 80's :-)). > > Even if we don't disable these old services by default in 4.x, I think > we should absolutely disable them when the 5.0 release comes around. ssh > is the only acceptable solution for a UNIX sysadmin in today's world. > > ntalkd is harder - still useful for sysops and users, but DOSable and > complex enough to possibly be insecure. But at least it's sandboxed in > FreeBSD. > > I think we should also sandbox 'named' by default now too (in 5.x, > possibly also in 4.x), rather then simply as an option. It is only > prudent considering the massive, massive rewriting and continuing work > that has been occuring in the bind distribution. And, also, I've had > the rc.conf named sandboxing option in there for over a year now and > I think people have become more knowledgeable in regards to it. For 5.x, > definitely. > > - > > Do any committers have any objections to me disabling ntalk, finger, > telnet, rsh, and ftp by default in -current? And sandboxing 'named' by > default in -current? > > -Matt > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message