[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: cluster: rsh vs. ssh

* sean finney (seanius@seanius.net) [021205 06:43]:
> how well do you trust your users?  is your cluster's network physically
> secured--that is, do users not have access to the machines and their
> network cables?  for example, if i had access, i could unplug one of the
> nodes and plug in my laptop with a pre-configured ip/mac addr, and
> then i could go anywhere that the old machine could go via rhosts.
> of course if the entire cluster is locked in another room and on
> a completely private net, you might not be gaining that much security,
> and i'll bet performance is a bit faster without all that encryption.

You could also compile ssh with -cnone support, to gain back the lost
encryption overhead but keep the security of pubkey authentication.
With ssh you can also use host-based authentication via public keys
rather than just trusting IP addresses outright, which is as convenient
as .rhosts (no user keys to manage) but not so easy to spoof.  IMHO, rsh
is dead.  ssh's authentication options are light years ahead, and the
encryption overhead is small if you use blowfish, and nothing if you
compile with -cnone support.

good times,

						--Nick Moffitt
A: No.
Q: Should I include quotations after my reply?

Attachment: pgpjJqqMTVtBc.pgp
Description: PGP signature

Reply to: