Re: Offering external services, rlogins, smtp etc: how does it work?

[Andrew Sullivan <sullivana@bpl.on.ca>]

On Fri, Jul 07, 2000 at 09:02:39AM +0930, Mark Phillips wrote:
> Andrew Sullivan [sullivana@bpl.on.ca] wrote:
> > Use ssh, or telnet, if you must (although that's just as risky).
> 
> I've heard it said that rlogin has security problems, but I don't
> understand why?  And surely if there are problems, these would be
> fixable?  Isn't Debian supposed to be extra security fix aware?

It has to do with the way the r* services were designed.  The idea was to
allow seamless use between trusted hosts and for trusted users.  But the
trust system is almost trivially easy to compromise, and so rlogin is just a
huge hole.  There isn't a way to make it secure: it's unsecured by design.

> Now you say to use ssh or telnet, but then say this is just as risky!
> Why not use rlogin if it is no more risky than the alternatives?

Sorry, that's why I quoted myself above.  I was ambiguous in what I said. 
Allowing telnet is just (well, almost) as risky as allowing rlogin.  Use
ssh.  It's much safer, and if you set it up very carefully, is extremely
difficult to compromise.  (Never say "impossible".)

A

-- 
Andrew Sullivan                                      Computer Services
<sullivana@bpl.on.ca>                        Burlington Public Library
+1 905 639 3611 x158                                   2331 New Street
                                   Burlington, Ontario, Canada L7R 1J4