kereros telnet/rlogin/etc. (was Re: OpenSSH HPN)
    Benjamin Kaduk 
    kaduk at MIT.EDU
       
    Wed Nov 11 23:33:26 UTC 2015
    
    
  
On Wed, 11 Nov 2015, Daniel Kalchev wrote:
>
> Perhaps similar level of security could be achieved by “the old tools”
> if they were by default compiled with Kerberos. Although, this still
> requires building additional infrastructure.
The kerberized versions of the old tools are basically unsupported
upstream at this point.  Telnet is actively insecure, being limited to
single-DES; rlogin may be somewhat better but it's still not looking very
good.  ssh is better because it speaks GSS-API instead of raw kerberos,
and can thus keeps up with newer crypto automatically.
When I was working at MIT, I considered making a final release of the
krb5-appl distribution, so as to include in the release announcement that
they were not going to be supported further, but could not even bring
myself to do that.  They are not in Debian anymore, and I expect them to
dwindle from other distributions, too.
Let the "old tools" grow old and retire.
-Ben
    
    
More information about the freebsd-security
mailing list