[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposal: remove krb5-appl (rlogin, rsh, telnet, ftp with krb5 support)

Sebastian Feld <sebastian.n.feld@gmail.com> writes:
> On Sat, Jan 25, 2014 at 7:13 PM, Moritz Mühlenhoff <jmm@inutil.org> wrote:

>> I agree with the removal. http://www.debian.org/security/2011/dsa-2375
>> was already a sufficiently unpleasant christmas present (exploit was
>> posted on on 24th December)

> I agree with the removal. Debian should really make itself obsolete by
> removing any option to do fast and secure enterprise login. ssh is the
> way to go for all, since all deserve slow and messy login performance.

> Now seriously... think about it: Is it *wise* to remove these utilities?

Sebastian, people who are Kerberos experts and people who are security
experts, including in some cases upstream developers of this code, are
telling you that they're obsolete and in some cases (such as telnet)
absolutely not secure.  They're the only applications I know of that use
TCP urgent data as part of the protocol for weird out-of-band signaling,
rsh opens a back-channel port from the server back to the client to serve
standard error which causes huge firewall headaches, the protocols for
Kerberos rsh and rlogin are basically undocumented, and last time I
personally tried, the Heimdal and MIT versions of the utilities didn't
even interoperate.

Furthermore, as an enterprise authentication administrator for a heavily
Kerberos-based site (Stanford University, in particular), I'm telling you
that not only does GSS-API ssh work fine for us, it works much better than
Kerberos rsh or Kerberos rlogin for our entire user population and all of
our use cases.  It has far better cross-platform support, it's far more
reliable, it has better security support, and it's more widely understood
by the average user who hasn't been at a Kerberos institution since the
days when Kerberos rsh and rlogin were widespread.

It may well be that you have specific local requirements that change this
picture for you (in which case I strongly suggest getting in touch with
one or the other of the upstreams and seeing if you can find enough
like-minded people to pick up and maintain the software).  But I'm heavily
involved with both MIT and Heimdal upstreams, and I can tell you that
neither of them speak very enthusiastically about that software or think
that it's the best general-purpose option these days.

There have been discussions about the MIT Kerberos version of these
utilities for years, including open calls for people to pick up
maintenance of them and questions about whether they should dropped.  I
had actually volunteered for a time to try to look at upstream support,
since I didn't think we wanted to switch to ssh, but then I took a closer
look at the issues involved and realized that I was wrong and that ssh was
a much better approach.  Now, about five years later, I can repeat with
hindsight that I was completely correct in that decision: ssh was a much
better approach.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: