Date: Thu, 24 Aug 2000 15:44:08 -0500 From: "Gooderum, Mark" <mark@JUMPWEB.COM> To: freebsd-stable@FreeBSD.ORG Subject: RE: nuking "unsafe" protocols (was Re: Upcoming rc.conf changes n ot loading certain currently loaded daemons) Message-ID: <251BF6012D6B4A49A4109B1C3289A7B5BB78@purgatory.jumpweb.com>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] > >Does it avoid using rcmd/rsh? > > Yes; it uses its own protocol. (It can use .rhosts for > "authentication", but current versions default to using a > separate file, .amandahosts for that. It also uses its own UDP & TCP ports.) But amanda works by "trusting" the source IP/Port of the connection the same way rsh/rcmd do via .rhosts/hosts.equiv. So it's no more or less secure... Fundamentally in the normal out of box Unix you either are or aren't working in a trusted environment. For most of us I think you are. If you're on a wire that controls the machines and trust the users then things like rxxx are okay. Ff your box is on the internet or the campus CS lab wire, you're generally not. Anyway, by default, .rhosts and hosts.equiv are empty and therefor having rshd enabled isn't any risk beyond cleartext passwords on the wire (which also can't be sniffed w/o root if you have a "trusted" wire). FreeBSD (and almost _every_ other OS and Unix in fairness) out of the box isn't in shape to hang out bare on the Internet and just disabling telnet and rsh doesn't make it so. Also, most ISPs and companies _still_ don't have things like SSL support for POP or IMAP, so ending telnet and rsh cleartext PW's on the wire does little to really secure things since most of us use the same password everywhere. Not saying it's the right security answer, but user reality is just that. Interoperability is critical and although ssh has found its way into FreeBSD 4.1 as standard, it certainly isn't standard on Windows or most other Unixen and other OSes. Unless somebody wants to bite the bullet (and I for one am _not_ interested in trying) and write a "lockdown_freebsd" script that enables ipfw or ipfilter with some reasonable defaults, turns off various insecure services (including NFS...more implicit trust and/or cleartext PW's via pcnfsd) then just blindly disabling rsh/telnet does little to really impove the security of the box and does a lot to increase the confusion of the user and increase the amount of manual configuration the _average_ user needs to make the box function in the _average_ environment. -- Mark Gooderum mark@jumpweb.com [-- Attachment #2 --] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2650.12"> <TITLE>RE: nuking "unsafe" protocols (was Re: Upcoming rc.conf changes not loading certain currently loaded daemons)</TITLE> </HEAD> <BODY> <P><FONT SIZE=2>> >Does it avoid using rcmd/rsh?</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Yes; it uses its own protocol. (It can use .rhosts for</FONT> <BR><FONT SIZE=2>> "authentication", but current versions default to using a </FONT> <BR><FONT SIZE=2>> separate file, .amandahosts for that. It also uses its own UDP & TCP ports.)</FONT> </P> <P><FONT SIZE=2>But amanda works by "trusting" the source IP/Port of the connection the same way rsh/rcmd do via .rhosts/hosts.equiv. So it's no more or less secure...</FONT></P> <P><FONT SIZE=2>Fundamentally in the normal out of box Unix you either are or aren't working in a trusted environment. For most of us I think you are. If you're on a wire that controls the machines and trust the users then things like rxxx are okay. Ff your box is on the internet or the campus CS lab wire, you're generally not. Anyway, by default, .rhosts and hosts.equiv are empty and therefor having rshd enabled isn't any risk beyond cleartext passwords on the wire (which also can't be sniffed w/o root if you have a "trusted" wire). FreeBSD (and almost _every_ other OS and Unix in fairness) out of the box isn't in shape to hang out bare on the Internet and just disabling telnet and rsh doesn't make it so. Also, most ISPs and companies _still_ don't have things like SSL support for POP or IMAP, so ending telnet and rsh cleartext PW's on the wire does little to really secure things since most of us use the same password everywhere. Not saying it's the right security answer, but user reality is just that.</FONT></P> <P><FONT SIZE=2>Interoperability is critical and although ssh has found its way into FreeBSD 4.1 as standard, it certainly isn't standard on Windows or most other Unixen and other OSes. Unless somebody wants to bite the bullet (and I for one am _not_ interested in trying) and write a "lockdown_freebsd" script that enables ipfw or ipfilter with some reasonable defaults, turns off various insecure services (including NFS...more implicit trust and/or cleartext PW's via pcnfsd) then just blindly disabling rsh/telnet does little to really impove the security of the box and does a lot to increase the confusion of the user and increase the amount of manual configuration the _average_ user needs to make the box function in the _average_ environment.</FONT></P> <P><FONT SIZE=2>--</FONT> <BR><FONT SIZE=2>Mark Gooderum</FONT> <BR><FONT SIZE=2>mark@jumpweb.com</FONT> </P> </BODY> </HTML>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?251BF6012D6B4A49A4109B1C3289A7B5BB78>