mirror of
https://git.openafs.org/openafs.git
synced 2025-01-18 15:00:12 +00:00
26 lines
1.2 KiB
Plaintext
26 lines
1.2 KiB
Plaintext
The inetd, rcp, rlogind and rsh directories contain AFS authentication (token)
|
|
passing support for their respective utilities. We are not removing these
|
|
utilities as some sites may still be using them, but we *strongly discourage*
|
|
their use. These utilities don't encrypt user traffic, and they also don't
|
|
encrypt the AFS tokens. This means an attacker can capture the data and recover
|
|
a valid authentication token, and use it to perform authenticated operations.
|
|
|
|
Consider foregoing the rcmds altogether and using ssh. You can get Dug Song's
|
|
ssh patch to support AFS here:
|
|
http://www.monkey.org/~dugsong/ssh-afs/
|
|
but you'll also need to install Kerberos 4 for libraries (which isn't a bad
|
|
idea anyhow). The KTH implementation includes the AFS helper library libkafs,
|
|
and so is desirable:
|
|
ftp://ftp.pdc.kth.se/pub/krb/src/
|
|
|
|
As a side effect, the insecure, but AFS aware ftpd included in AFS can be
|
|
replaced by the ftpd included in the above-mentioned Kerberos package, as it
|
|
has RFC2228 security extensions.
|
|
|
|
In any case, carefully consider the security implications before deploying
|
|
these utilities.
|
|
|
|
To enable building of the insecure code included with OpenAFS, run
|
|
configure with the --enable-insecure switch.
|
|
|