On Sun, Mar 27, 2005 at 11:24:01AM +0200, Michael Green wrote: > On Sun, 27 Mar 2005 10:58:31 +0200, Shachar Shemesh > <[EMAIL PROTECTED]> wrote: > > > First, let me state what should, by now, be obvious to anyone. Using > > rshost is a security hole. > > Shachar, you make very valid points here. Thank you. > In fact I realize very well (I hope I do) all the risks involved in > using rsh/rlogin/telnet mechanism. > However our users insist on using rsh instead of ssh for various > reasons (conservatism being of them). > And I'm not in the position to > fight their weak security practices. I'm here to help them with > whatever they need and if they need rsh to be more productive (one of > their agruments) - so be it.
What exactly are the atvantages of rsh over ssh? Besides the obvious ones: * slightly lower cpu usage * (slightly?) lower bandwidth usage for file transfers * The client's code is smaller, in case you're very stressed with disk space Besides those points, I can hardly find anything rsh can do and ssh can't. And yes: ssh supports ~/.rhosts , if you'll force it. In fact, when I was looking for reference on ~/.rhosts file a couple of years ago on a redhat workstation, I only found it documented in ssh's docs. rcp's behaviour is horrible. Even worse than scp. And generally the r-progras lack verbosity in case of trouble. So do them a favour and make them use ssh. It is really for their own good. replace rsh with a symlink to ssh if you have to ;-) > > The second, more likely, is that the ident service is not running. > > it does, because I'm able to rsh into the machine from those hosts > listed in hosts.equiv. It is my understanding that if identd/xinetd > were not up I wouldn't be able to rsh from anywhere, right? Right. netstat -lntp | grep 51 -- Tzafrir Cohen | New signature for new address and | VIM is http://tzafrir.org.il | new homepage | a Mutt's [EMAIL PROTECTED] | | best ICQ# 16849755 | Space reserved for other protocols | friend ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
