Re: telnet vs ssh [WAS: Re: Dropping telnetd and rsh* for security reasons?]

To: debian-user@lists.debian.org
Cc: dfokkema@ileos.nl
Subject: Re: telnet vs ssh [WAS: Re: Dropping telnetd and rsh* for security reasons?]
From: Colin Watson <cjwatson@debian.org>
Date: Thu, 15 May 2003 14:46:14 +0100
Message-id: <[🔎] 20030515134614.GA17692@riva.ucam.org>
Mail-followup-to: debian-user@lists.debian.org, dfokkema@ileos.nl
In-reply-to: <[🔎] 20030515125953.GA19689@nebula.ileos.home>
References: <[🔎] BAY7-F112lZGdOZofu400015c2a@hotmail.com> <[🔎] 0446F316-86C2-11D7-B355-0030657BB07A@clivemenzies.co.uk> <[🔎] 20030515121243.0c856274.nico.meijer@zonnet.nl> <[🔎] 20030515111539.GI10412@ursine.dyndns.org> <[🔎] Pine.LNX.4.53.0305150830120.9732@perrin.socsci.unc.edu> <[🔎] 20030515125953.GA19689@nebula.ileos.home>

On Thu, May 15, 2003 at 02:59:53PM +0200, David Fokkema wrote:
> Mail-Followup-To: dfokkema@murphy.debian.org,
>         debian-user@lists.debian.org

The @murphy.debian.org here is broken, probably caused by confusion
surrounding MTA address rewriting. Please either get your MTA to rewrite
Mail-Followup-To: as well if possible or else tell your mailer about
your full e-mail address.

> On Thu, May 15, 2003 at 08:31:27AM -0400, Andrew Perrin wrote:
> > Paul Johnson wrote:
> > > How does one request a package be removed?  Seems like now is a very
> > > good time to drop telnetd from the distro altogether as a security
> > > hazard, along with rsh...
> > 
> > Please don't do this! I need telnetd for a specific application, for which
> > ssh is not practical. I know the risks and accept them. Put a dire warning
> > on the screen when installing if you must, but don't drop the opportunity
> > just to protect me from myself.
> 
> What do you need telnetd for that sshd won't do (as easy as telnetd)?
> Forgive me my ignorance, but I can't think of anything but ssh as a
> drop-in replacement for telnet/rsh/rlogin. Please enlighten me.

telnetd and rshd are often useful in local-network environments which
contain old legacy-Unix or other systems for which it's difficult, too
time-consuming, or whatever to get a working ssh implementation.
(Sometimes you can't update said machines either because they're build
machines and you need to preserve binary compatibility.) Sure, you don't
want to use them on Internet-connected machines, but the whole world is
not (yet) internetworked.

By all means heavily discourage the use of telnetd and rshd so that
people don't use them unwittingly, but I think they should stay in the
distribution.

Cheers,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]

Reply to:

References:
- Software...!!!
  - From: "Sherwin Kamperveen" <s_kamperveen@hotmail.com>
- Re: Software...!!!
  - From: Clive Menzies <clive@clivemenzies.co.uk>
- Re: Software...!!!
  - From: Nico Meijer <nico.meijer@zonnet.nl>
- Dropping telnetd and rsh* for security reasons?
  - From: Paul Johnson <baloo@ursine.dyndns.org>
- Re: Dropping telnetd and rsh* for security reasons?
  - From: Andrew Perrin <clists@perrin.socsci.unc.edu>
- telnet vs ssh [WAS: Re: Dropping telnetd and rsh* for security reasons?]
  - From: David Fokkema <dfokkema@ileos.nl>

Prev by Date: Re: Where did flashplayer-mozilla go?
Next by Date: Re: Fingerprinting motherboards
Previous by thread: Re: telnet vs ssh [WAS: Re: Dropping telnetd and rsh* for security reasons?]
Next by thread: Re: Dropping telnetd and rsh* for security reasons?
Index(es):
- Date
- Thread