mirror of
https://git.openafs.org/openafs.git
synced 2025-01-18 23:10:58 +00:00
23 lines
1.1 KiB
Plaintext
23 lines
1.1 KiB
Plaintext
|
The inetd, rcp, rlogind and rsh directories contain AFS authentication (token)
|
||
|
|
passing support for their respective utilities. We are not removing these
|
||
|
|
utilities as some sites may still be using them, but we *strongly discourage*
|
||
|
|
their use. These utilities don't encrypt user traffic, and they also don't
|
||
|
|
encrypt the AFS tokens. This means an attacker can capture the data and recover
|
||
|
|
a valid authentication token, and use it to perform authenticated operations.
|
||
|
|
|
||
|
|
Consider foregoing the rcmds altogether and using ssh. You can get Dug Song's
|
||
|
|
ssh patch to support AFS here:
|
||
|
|
http://www.monkey.org/~dugsong/ssh-afs/
|
||
|
|
but you'll also need to install Kerberos 4 for libraries (which isn't a bad
|
||
|
|
idea anyhow). The KTH implementation includes the AFS helper library libkafs,
|
||
|
|
and so is desirable:
|
||
|
|
ftp://ftp.pdc.kth.se/pub/krb/src/
|
||
|
|
|
||
|
|
As a side effect, the insecure, but AFS aware ftpd included in AFS can be
|
||
|
|
replaced by the ftpd included in the above-mentioned Kerberos package, as it
|
||
|
|
has RFC2228 security extensions.
|
||
|
|
|
||
|
|
In any case, carefully consider the security implications before deploying
|
||
|
|
these utilities.
|
||
|
|
|