Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

To: debian-devel@lists.debian.org
Subject: Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
From: Robert van der Meulen <rvdm@cistron.nl>
Date: Thu, 19 Apr 2001 02:39:15 +0200
Message-id: <[🔎] 20010419023915.A16420@lin-gen.com>
In-reply-to: <[🔎] 20010418163728.C13362@pimlott.ne.mediaone.net>; from andrew@pimlott.ne.mediaone.net on Wed, Apr 18, 2001 at 04:37:28PM -0400
References: <[🔎] 20010418171100.B8620@omega.resa.es> <[🔎] 20010418172549.A17770@lin-gen.com> <[🔎] 20010418152310.A13362@pimlott.ne.mediaone.net> <[🔎] 20010418221722.A23225@lin-gen.com> <[🔎] 20010418163728.C13362@pimlott.ne.mediaone.net>

Hi,

Quoting Andrew Pimlott (andrew@pimlott.ne.mediaone.net):
> On Wed, Apr 18, 2001 at 10:17:22PM +0200, Robert van der Meulen wrote:
> > There is no such thing as DNS hostname based authentication.
> ???  What do you call rsh?  It doesn't use only the DNS hostname for
> authentication, of course, but DNS hostname is a critical part.
I didn't know there were still people who think that the r-utilities use
authentication ;)
For this situation to need 'PARANOID' you would need to be on a badly
configured network, where people (possibly you) access your machine trough
the r-services. I think that is not just bad practice, but plain dumb.
If you're on a small local network, you can 'solve' a lot trough /etc/hosts,
in stead of compromising stuff by removing 'PARANOID' from /etc/hosts.deny -
but hey, you can always _remove_ that setting.
The question here is if we want to ship debian systems with or without the
'PARANOID' rule. If we want to enable people to have their systems accessed
by r- utilities on networks with badly configured DNS systems, with
sysadmins lacking the spirit to either fix their network or fix /etc/hosts,
we should definately remove 'PARANOID' from /etc/hosts.deny.
If we want to 'Do The Right Thing', enforce well-configured DNS systems, and
show people how it _should_ be done, we should keep it. (not mentioning
audit trails, 'default security' and whatnot)

> > Can you give an example where you would want to allow access from an
> > inconsequently configured machine, that is run by someone who doesn't know
> > how to configure DNSs ?
> Anytime I use a machine on a misconfigured network and want to log
> on to my home PC.  This happens quite often: every time I use a
> computer at a client site, or a school lab, or a friend's house,
> there's a real chance that I'm on a misconfigured network.
'misconfigured network'.
If you want these broken hosts to access your machine, you can either 'fix'
/etc/hosts.deny, or add these hosts to /etc/hosts (even allows you to
specify wich badly-configured machines can access your system!)

Greets,
	Robert
-- 
			      Linux Generation
   encrypted mail preferred. finger rvdm@debian.org for my GnuPG/PGP key.
  Laat je in ieder geval nooit imponeren door een hard blaffende advocaat.

Reply to:

Follow-Ups:
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: PiotR <piotr@omega.resa.es>

References:
- ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: PiotR <piotr@omega.resa.es>
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Robert van der Meulen <rvdm@cistron.nl>
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: andrew@pimlott.ne.mediaone.net (Andrew Pimlott)
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Robert van der Meulen <rvdm@cistron.nl>
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: andrew@pimlott.ne.mediaone.net (Andrew Pimlott)

Prev by Date: Re: character sets
Next by Date: Re: character sets
Previous by thread: Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
Next by thread: Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
Index(es):
- Date
- Thread