[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Thu, Apr 19, 2001 at 02:39:15AM +0200, Robert van der Meulen wrote:
> Hi,
> 
> Quoting Andrew Pimlott (andrew@pimlott.ne.mediaone.net):
> > On Wed, Apr 18, 2001 at 10:17:22PM +0200, Robert van der Meulen wrote:
> > > There is no such thing as DNS hostname based authentication.
> > ???  What do you call rsh?  It doesn't use only the DNS hostname for
> > authentication, of course, but DNS hostname is a critical part.
> I didn't know there were still people who think that the r-utilities use
> authentication ;)
> For this situation to need 'PARANOID' you would need to be on a badly
> configured network, where people (possibly you) access your machine trough
> the r-services. I think that is not just bad practice, but plain dumb.
> If you're on a small local network, you can 'solve' a lot trough /etc/hosts,
> in stead of compromising stuff by removing 'PARANOID' from /etc/hosts.deny -
> but hey, you can always _remove_ that setting.
> The question here is if we want to ship debian systems with or without the
> 'PARANOID' rule. If we want to enable people to have their systems accessed
> by r- utilities on networks with badly configured DNS systems, with
> sysadmins lacking the spirit to either fix their network or fix /etc/hosts,
> we should definately remove 'PARANOID' from /etc/hosts.deny.
> If we want to 'Do The Right Thing', enforce well-configured DNS systems, and
                                       ^^^^^^^^
> show people how it _should_ be done, we should keep it. (not mentioning
> audit trails, 'default security' and whatnot)
IMHO that exceeds our objetives and those of the debian developers. I think is not debian's objetive to enforce a well structurated internet, which is not. It's by far more important that our operating system doesn't act weirdly when it shouldn't. Not to mention givin unecesary headaches to netadmins. And denying network services, wich might be crucial. Let's think in usability first: I don't like my servers denying conexions to clients ( wich could keep my company from making money or giving service to customers ). Is that supposed exquisite-security-enhacement worth denying a lot of conexions, with the consequences that this might have?   
I strongly believe that the answer is NO. And so it should be removed, and left as an option for PARANOID netadmins, which want a false feel of dns based security.
-- 
Pedro Larroy Tovar. PiotR | http://omega.resa.es/piotr/
piotr@omega.resa.es
Reply to: