* sean finney (email@example.com) [021205 06:43]: > how well do you trust your users? is your cluster's network physically > secured--that is, do users not have access to the machines and their > network cables? for example, if i had access, i could unplug one of the > nodes and plug in my laptop with a pre-configured ip/mac addr, and > then i could go anywhere that the old machine could go via rhosts. > > of course if the entire cluster is locked in another room and on > a completely private net, you might not be gaining that much security, > and i'll bet performance is a bit faster without all that encryption. You could also compile ssh with -cnone support, to gain back the lost encryption overhead but keep the security of pubkey authentication. With ssh you can also use host-based authentication via public keys rather than just trusting IP addresses outright, which is as convenient as .rhosts (no user keys to manage) but not so easy to spoof. IMHO, rsh is dead. ssh's authentication options are light years ahead, and the encryption overhead is small if you use blowfish, and nothing if you compile with -cnone support. good times, Vineet -- http://www.doorstop.net/ -- --Nick Moffitt A: No. Q: Should I include quotations after my reply?
Description: PGP signature