[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: telnet vs ssh [WAS: Re: Dropping telnetd and rsh* for security reasons?]

I employ a small army of undergraduate research assistants, all of whom
are fundamentally nontechnical. Their job involves coding texts (usually
letters to the editor, sometimes other texts) along thematic lines. They
do so by telnetting into a stripped-down debian box that only runs a perl
script that does the coding. The perl script, in turn, selects from and
updates a PostgreSQL database on another host (which does not run
telnetd).

The crux of the matter is that these assistants telnet in from arbitrary
places to do their work. It would be a significant pain to teach them how
to set up PuTTY or Secure CRT on every machine they might use. I'm
comfortable with the (rather minimal) security risk posed by letting them
telnet into this isolated box.

The principle, too, seems important: the reason for dropping telnetd would
be to protect users from themselves. Why should debian be in that
practice? Warn us, sure, but don't take away options just because you
think they're bad for us.

ap

----------------------------------------------------------------------
Andrew J Perrin - http://www.unc.edu/~aperrin
Assistant Professor of Sociology, U of North Carolina, Chapel Hill
clists@perrin.socsci.unc.edu * andrew_perrin (at) unc.edu


On Thu, 15 May 2003, David Fokkema wrote:

> On Thu, May 15, 2003 at 08:31:27AM -0400, Andrew Perrin wrote:
> > > How does one request a package be removed?  Seems like now is a very
> > > good time to drop telnetd from the distro altogether as a security
> > > hazard, along with rsh...
> > >
> >
> > Please don't do this! I need telnetd for a specific application, for which
> > ssh is not practical. I know the risks and accept them. Put a dire warning
> > on the screen when installing if you must, but don't drop the opportunity
> > just to protect me from myself.
>
> What do you need telnetd for that sshd won't do (as easy as telnetd)?
> Forgive me my ignorance, but I can't think of anything but ssh as a
> drop-in replacement for telnet/rsh/rlogin. Please enlighten me.
>
> David
>
>
> --
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
Reply to: