Re: telnet vs ssh [WAS: Re: Dropping telnetd and rsh* for security reasons?]
On Thu, May 15, 2003 at 02:59:53PM +0200, David Fokkema wrote:
> Mail-Followup-To: firstname.lastname@example.org,
The @murphy.debian.org here is broken, probably caused by confusion
surrounding MTA address rewriting. Please either get your MTA to rewrite
Mail-Followup-To: as well if possible or else tell your mailer about
your full e-mail address.
> On Thu, May 15, 2003 at 08:31:27AM -0400, Andrew Perrin wrote:
> > Paul Johnson wrote:
> > > How does one request a package be removed? Seems like now is a very
> > > good time to drop telnetd from the distro altogether as a security
> > > hazard, along with rsh...
> > Please don't do this! I need telnetd for a specific application, for which
> > ssh is not practical. I know the risks and accept them. Put a dire warning
> > on the screen when installing if you must, but don't drop the opportunity
> > just to protect me from myself.
> What do you need telnetd for that sshd won't do (as easy as telnetd)?
> Forgive me my ignorance, but I can't think of anything but ssh as a
> drop-in replacement for telnet/rsh/rlogin. Please enlighten me.
telnetd and rshd are often useful in local-network environments which
contain old legacy-Unix or other systems for which it's difficult, too
time-consuming, or whatever to get a working ssh implementation.
(Sometimes you can't update said machines either because they're build
machines and you need to preserve binary compatibility.) Sure, you don't
want to use them on Internet-connected machines, but the whole world is
not (yet) internetworked.
By all means heavily discourage the use of telnetd and rshd so that
people don't use them unwittingly, but I think they should stay in the
Colin Watson [email@example.com]