[K12OSN] RSH vs SSH (was some other topic)
Stephen J Smoogen
smoogen at lanl.gov
Wed Aug 4 23:34:19 UTC 2004
Les Bell wrote:
> Les Mikesell <les at futuresource.com> wrote:
>
>
> I haven't given this a lot of thought, but off the top of my head
> I think in any scenario where I could exploit rsh, I could
> also steal the ssh keys from an nfs-exported /home directory.
> <<
>
> That's likely true - nfs is about as easy to exploit as rsh, especially
> with its use of UDP. However, you'd still have to crack the passwords on
> the ssh keys. And as nfs tightens up (e.g. 2.6 kernel introduces NFS V4,
> which can use TCP) that would leave rsh as the weak link.
>
Actually NFSv3 can use TCP and has been available in the 2.2/2.4
kernels. Now the TCP server side aspects I think have only been in the
late 2.4 kernels but I could be wrong.
> I'm just advocating a general principle here: use best practices as
> standard operating procedure, rather than using weaker protocols as
> standard and unwittingly leaving systems vulnerable. I don't think Shawn
> should make life impossibly difficult for himself, but I wouldn't use rsh
> until I'd exhausted the other possibilities.
>
> Best,
>
> --- Les Bell, RHCE, CISSP
> [http://www.lesbell.com.au]
>
>
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
--
Stephen John Smoogen smoogen at lanl.gov
Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645
Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545
More information about the K12OSN
mailing list