platforms that support rsh

Ed Ravin eravin at panix.com
Fri Jun 10 15:58:13 UTC 2005


On Fri, Jun 10, 2005 at 12:39:32AM +0000, john heasley wrote:
> Thu, Jun 09, 2005 at 12:31:56AM +0200, Andre van der Merwe:

> > Would it also be worth asking if Kerberized rsh, rlogin and telnet are 
> > available on these devices. As it is rsh is the least secure way to 
> > pull important data from your devices/ allow access to them.

Every Kerberized rsh implementation I've seen only uses encryption
for authentication - the traffic is still in the clear.  Kerberized
telnet can also work this way if you don't turn on data encryption.
And some Kerberized telnet clients, even when you tell them to use
encryption, may silently switch you to cleartext if the encryption
negotiations fail.  So be careful out there - if you think you're
encrypting something over the net, verify it with tcpdump or the like.

> it's been quite some time since I've used kerberos, but iirc...how would
> rancid get it's ticket (or how would you manually issue one and hand it off;
> it writes a file in ~, right?) and how would the ticket get renewed?

I suppose you could automate that with a separate batch job - hardcode the
Kerberos password somewhere and call kinit every N hours to renew the
ticket.  And there may be some other features of Kerberos that you could
use for this (I vaguely recall something about "service principals".

	-- Ed



More information about the Rancid-discuss mailing list