[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default


Quoting Andrew Pimlott (andrew@pimlott.ne.mediaone.net):
> On Wed, Apr 18, 2001 at 10:17:22PM +0200, Robert van der Meulen wrote:
> > There is no such thing as DNS hostname based authentication.
> ???  What do you call rsh?  It doesn't use only the DNS hostname for
> authentication, of course, but DNS hostname is a critical part.
I didn't know there were still people who think that the r-utilities use
authentication ;)
For this situation to need 'PARANOID' you would need to be on a badly
configured network, where people (possibly you) access your machine trough
the r-services. I think that is not just bad practice, but plain dumb.
If you're on a small local network, you can 'solve' a lot trough /etc/hosts,
in stead of compromising stuff by removing 'PARANOID' from /etc/hosts.deny -
but hey, you can always _remove_ that setting.
The question here is if we want to ship debian systems with or without the
'PARANOID' rule. If we want to enable people to have their systems accessed
by r- utilities on networks with badly configured DNS systems, with
sysadmins lacking the spirit to either fix their network or fix /etc/hosts,
we should definately remove 'PARANOID' from /etc/hosts.deny.
If we want to 'Do The Right Thing', enforce well-configured DNS systems, and
show people how it _should_ be done, we should keep it. (not mentioning
audit trails, 'default security' and whatnot)

> > Can you give an example where you would want to allow access from an
> > inconsequently configured machine, that is run by someone who doesn't know
> > how to configure DNSs ?
> Anytime I use a machine on a misconfigured network and want to log
> on to my home PC.  This happens quite often: every time I use a
> computer at a client site, or a school lab, or a friend's house,
> there's a real chance that I'm on a misconfigured network.
'misconfigured network'.
If you want these broken hosts to access your machine, you can either 'fix'
/etc/hosts.deny, or add these hosts to /etc/hosts (even allows you to
specify wich badly-configured machines can access your system!)

			      Linux Generation
   encrypted mail preferred. finger rvdm@debian.org for my GnuPG/PGP key.
  Laat je in ieder geval nooit imponeren door een hard blaffende advocaat.

Reply to: