Date: Tue, 10 Oct 2000 11:54:09 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.org> To: Kris Kennaway <kris@citusc.usc.edu> Cc: Terry Lambert <tlambert@primenet.com>, arch@FreeBSD.org, Poul-Henning Kamp <phk@critter.freebsd.dk>, Matt Dillon <dillon@earth.backplane.com>, Warner Losh <imp@village.org>, Jeroen Ruigrok van der Werven <jruigrok@via-net-works.nl> Subject: Re: cvs commit: src/etc inetd.conf Message-ID: <Pine.NEB.3.96L.1001010095155.90573M-100000@fledge.watson.org> In-Reply-To: <20001009202540.A2128@citusc17.usc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 9 Oct 2000, Kris Kennaway wrote: > On Tue, Oct 10, 2000 at 02:11:11AM +0000, Terry Lambert wrote: > > > > > Do any committers have any objections to me disabling ntalk, finger, > > > > > telnet, rsh, and ftp by default in -current? And sandboxing 'named' by > > > > > default in -current? > > > > Won't this make it difficult to bootstrap a headless 1U box? > > The point, which many people in this discussion somehow keep missing, > is that when you do a default installation of recent versions of > FreeBSD, the machine reboots with ssh enabled and working. As I pointed out earlier, there needs to be a way for the administrator to securely retrieve the SSH key so that they can log in securely. Otherwise the whole point of using SSH is lost. If they just blindly accept the key without some sort of confirmation, it might as well be telnet. For console-based install, this is fine if we print out the key finger print after the first reboot (although ideally we'd generate it during sysinstall and formally present it to the administrator). For a headless install, there is currently no way to get the key in a secure manner. If the answer is, ``Well, it's a local network segment, you should be fine,'' that applies equally well to telnet, which, as I also mentioned before, has been standardized a lot longer, has much more interoperability, is more stable, etc. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1001010095155.90573M-100000>