Contributed by Dengue on from the lived-life-with-joy dept.
"It seems that rlogind and rexecd have been removed from -current . Can other legacy, security-free protocols be far behind? The original announcement from source-changes@ can be found here , along with Theo's explanation ."Hopefully other operating systems and software vendors will take note and cease having installation or runtime dependencies on r* programs.
(Comments are closed)
By Anonymous Coward () on
Unfortunately, FTP is needed for OpenBSD installs, so it will be a while coming, unless scp or sftp becomes an option. How easy that would be would require a real programmer.
Take everything that passes passwords in the clear.
Show the way Theo, and the crowds will follow.
Comments
By Todd Fries () todd@openbsd.org on mailto:todd@openbsd.org
By Christian Gruber () cgruber@israfil.net on mailto:cgruber@israfil.net
But I don't think killing FTP is necessary, just never EVER enable clear-text passwords, and use it for public things.
By RC () on
THAT is what is needed to make SSH replace FTP and Telnet.
By Anonymous Cat () on
Comments
By vincent () vincen at igc ethz ch on mailto:vincen at igc ethz ch
via sftp, by the way.
cheers to logic,
v.
By pravus () on
perhaps the OpenBSD team might think of leaving the tools on the system but just put them in another directory with non-executable permissions? that way you have to manually enable them to use them. or, perhaps leave the tools in the source tree, but don't compile them by default?
i don't know what would be best, but i don't think leaving them out is it.
By Gunnar Wolf () gwolf@gwolf.cx on http://www.gwolf.cx
Comments
By Anonymous Coward () on
Or at least make it possible to add it using a package/port, so that people who want it can have it.
Or you could also make telnet display a huge security warning whenever you start it ;-)
By Adam Lazur () laz@clustermonkey.org on mailto:laz@clustermonkey.org
Surely telnet should be ditched.
If you need to debug network protocols, I suggest you check out nc(1). It has a superset of telnet's features in the sense that you'd want to use it.
The only advantage telnet has over nc is the interactive command prompt stuff. But you wouldn't need that if you're just using it for network debugging ;)
Comments
By Anonymous Coward () on
Sure, SSH is pretty standard these days, but there are still people out there running FTP servers, and I would like to be able to get to them still.
By Dalin Owen () dowen@pstis.com on mailto:dowen@pstis.com
By Anonymous Coward () on
By Anonymous Coward () on
needs r-tools). So bye-bye OpenBSD from some (very) big telco where I work - we use RedHat.
Comments
By Anonymous Coward () on
By Anonymous Coward () on
Instead of getting rid of r- utilities and software that uses them, they say "Bye bye OpenBSD and security". I don't care if your vendor/policy/agreement/hardware does not allow/support/whatever normal security practices - it's about time to do something about it!
If you can not do anything in your situation - quit your job and find a better place to work for. That's what I would do.
Comments
By Anonymous Coward () on
oh yeah, they won't use OpenBSD because the software package they've used for years won't run on it... so screw the 5 weeks vacation, the job security (ok.. for what it is in this market), and just quit and have no income for the next few months while you look for a new job...
hoping you find one.. because, of course, the job market is starting to rebound, but not a lot yet. Oh, and that mortgage?? Ahh, well, so it takes a little longer and they foreclose on your house.. a tent works just fine for the wife and 3 kids, right?
Besides which, I would presume your machines are behind a firewalll and/or in a DMZ.
But, then again, I don't rush to spend lots of money and replace things that are working fine behind our firewall just because someone else tells me I should.
And, then again... I don't work at McDonalds, either.
Comments
By Anonymous Cowherd () on
>Besides which, I would presume your machines are >behind a firewalll and/or in a DMZ.
>But, then again, I don't rush to spend lots of >money and replace things that are working fine >behind our firewall just because someone else >tells me I should.
"It's behind a firewall" is a lame excuse for not patching security problems. If an outsider can penetrate a machine, so can an insider. And from all the data I've seen, inside jobs are far more common.
And by the way, not to sound harsh, but I don't see "compatibility with commercial applications" anywhere on the OpenBSD project goals page. If all security concerns were sacrificed to backward compatability, we'd end up with something like, well, Windows.
The "quit your job" thing is obviously a troll, however. Someone tell me when they find a corporation that *doesn't* institutionalize stupidity, and I'll be first in line at HR.
By Anonymous Coward () on
/Alex
PS: And the guy who told there is no Continuus for Linux: check the facts, idiot.
By Anonymous Coward () on
By Anonymous Coward () on
We use Telelogic CM Synergy (the new name of Continuus) and I haven't seen it run on anything but HP-UX, Solaris, and Windows. There doesn't exist a Linux port, at all (excepting the next version, which is supposed to be Java-based, and hence more platform-agnostic.)
Comments
By Simon Chappell () simon.chappell@landsend.com on mailto:simon.chappell@landsend.com
Talking to their principle engineers, Linux is a first tier platform for them. In fact they release the Linux version before the AIX version! :-)
I'll have to ask them about an OpenBSD version. That'd be neat.
Simon
By Emiliano () emile@iris-advies.nl on mailto:emile@iris-advies.nl
Comments
By Anonymous Coward () on
By Anonymous Coward () on
By Anonomous Coward () on
when I upgrade I feed them all a boot floopy and
use RSH to pull down an image. This could be done
with SSH but as Tood Fries has stated with SSH
on a floppy there is not much room for anything
else. I could burn a bunch of CDs but floppies
are rewritable and faster to produce. Until SSH fits on a floppy with a kernel and other utils (ifconfig, restore, etc), keep rsh.
Comments
By Anonymous Coward () on
Of course, once you start the upgrade or install, if you have problems, it's back to a floppy or CD, if the disk gets messed up.
Oh and I'm looking at about 25 CDs of OpenBSD, which I purchase to support the project, and almost never use for installs.
I'm nearly always running snapshots, because they WORK and work better than the Energizer bunny. In fact I have a 2.8 system that has been up for 400+ days, that I'll soon upgrade the same way.
By Anonymous Coward () on
Bye. You stink.
Comments
By Anonymous Coward () on
By Anonomous Coward () on
when I upgrade I feed them all a boot floopy and
use RSH to pull down an image. This could be done
with SSH but as Tood Fries has stated with SSH
on a floppy there is not much room for anything
else. I could burn a bunch of CDs but floppies
are rewritable and faster to produce. Until SSH fits on a floppy with a kernel and other utils (ifconfig, restore, etc), keep rsh.
By Ken Crandall () ken.crandall@mindspring.com on http://www.mindspring.com/~ken.crandall
I think what Theo and co. want to do is remove something from their plates that is inherantly insecure and they've been having to patch since day 1.
If it's moved into ports, those who need it can use it and maintain it themselves.
By Grey - Digital Target () on
http://www.sigmasoft.com/~openbsd/archive/openbsd-tech/200205/msg00067.html
"Log message:
rlogind and rexecd go away"
The -daemons- are being removed, not the clients.
Maybe I'm mistaken, but I'm assuming that none of you gripers actually edit your OpenBSD installations to permit rlogind, et al to run as services on your OpenBSD machines.
The clients are still there to connect to decrepit old machines from OpenBSD. Hopefully none of you work in an environment where you need to connect -to- you OpenBSD machines via these protocols. Connecting -from- OpenBSD shouldn't be a problem.
If I'm wrong, and you're actually concerned about the dissappearance of a couple of cleartext daemons let me know.
Comments
By Grey - Digital Target () on
"No, the clients are gone too I'm afraid.
- todd"
By mra () on
Now that HP bought Compaq this functionality will probably show up in HP-UX, and since that OS is OpenSSH based it therefore will be easily ported to other platforms.
By Anon-telco admin () verizon on mailto:verizon
Comments
By grey () on
The rest of the gear - Tekelec STP's, Summa4 [now cisco] switches (for trunk handling, not the layer2 things), Inet Protocol analysers (this one ran DOS - woohoo), etc. all needed to be accessed via console - they had no IP stacks that I ever encountered and thus no remote IP-based management tools.
So at least from that perspective - there's quite a lot of telco hardware that doesn't use telnet - or anything else TCP/IP related. ;)
The pieces that do, are of quite a bit of concern however - as are notions of tunnelling SS7 traffic over TCP/IP [they are doing this sort of thing already in some areas]. That could be a future bad scenario.
By Anonymous Coward () on
By Anonymous Coward () on
Comments
By Anonymous Coward () on
It's been said several times - clients go as well. Well, rsh stays for a while, but rlogin is gone.
By RC () on
What does that mean on this topic?
Telnet over IPSec will be more secure than SSH over TCP/IP. So, why get rid of the utilities that communicate in clear-text? Over IPSec, those same utilities are secure as well.
Seems like an unreasonable move at this point.
Comments
By Bogomips () bogomips@nirvanet.net on mailto:bogomips@nirvanet.net
Bogomips
By x () krisna@core.group.bsd.freak.com on y
Comments
By Anonymous Hero () on
BUT how usefull is an OS without any utilities?
I would rather that the problems were fixed instead of just removing the utilities.
OK, clean text password over the net is NOT OK.
But over IPSec they are secure as well.
Sure remove the servers, but NOT the clients.
If telnet goes how am I suposed to telnet into my cisco router and configure it - NO SSH support.
It is not a big deal to make a secure OS. Just remove everything except what is needed to boot the machine. But how usefull is that?
What the heck the security record is the most important. Even if every user first installes some utilities that they need and it turns out that there are a security Vulnerability. It IS NOT IN THE DEAFULT INSTALL so we are happy and OpenBSD is still the most secure OS.
Security matters but usefullnes does not. We simply don't care we only care about security.
>Where is The Great OpenBSD Code Auditing Team?.
They turned in to The Great OpenBSD Remove Team.
Yea, security on the behalf of usefullness!
Way to go, NOT!
Comments
By Anonymous Coward () on
Is that going to happen in the next OpenBSD release?
Comments
By Anonymous Coward () on
the OS. You will find.
network running
portmap running
sshd running
inetd running
---
Yes it is.
By Anonymous Coward () on
Comments
By Anonymous Coward () on