Sebastian Feld <sebastian.n.f...@gmail.com> writes: > On Sat, Jan 25, 2014 at 7:13 PM, Moritz Mühlenhoff <j...@inutil.org> wrote:
>> I agree with the removal. http://www.debian.org/security/2011/dsa-2375 >> was already a sufficiently unpleasant christmas present (exploit was >> posted on on 24th December) > I agree with the removal. Debian should really make itself obsolete by > removing any option to do fast and secure enterprise login. ssh is the > way to go for all, since all deserve slow and messy login performance. > Now seriously... think about it: Is it *wise* to remove these utilities? Sebastian, people who are Kerberos experts and people who are security experts, including in some cases upstream developers of this code, are telling you that they're obsolete and in some cases (such as telnet) absolutely not secure. They're the only applications I know of that use TCP urgent data as part of the protocol for weird out-of-band signaling, rsh opens a back-channel port from the server back to the client to serve standard error which causes huge firewall headaches, the protocols for Kerberos rsh and rlogin are basically undocumented, and last time I personally tried, the Heimdal and MIT versions of the utilities didn't even interoperate. Furthermore, as an enterprise authentication administrator for a heavily Kerberos-based site (Stanford University, in particular), I'm telling you that not only does GSS-API ssh work fine for us, it works much better than Kerberos rsh or Kerberos rlogin for our entire user population and all of our use cases. It has far better cross-platform support, it's far more reliable, it has better security support, and it's more widely understood by the average user who hasn't been at a Kerberos institution since the days when Kerberos rsh and rlogin were widespread. It may well be that you have specific local requirements that change this picture for you (in which case I strongly suggest getting in touch with one or the other of the upstreams and seeing if you can find enough like-minded people to pick up and maintain the software). But I'm heavily involved with both MIT and Heimdal upstreams, and I can tell you that neither of them speak very enthusiastically about that software or think that it's the best general-purpose option these days. There have been discussions about the MIT Kerberos version of these utilities for years, including open calls for people to pick up maintenance of them and questions about whether they should dropped. I had actually volunteered for a time to try to look at upstream support, since I didn't think we wanted to switch to ssh, but then I took a closer look at the issues involved and realized that I was wrong and that ssh was a much better approach. Now, about five years later, I can repeat with hindsight that I was completely correct in that decision: ssh was a much better approach. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87fvo93tc8....@windlord.stanford.edu
