dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


Security Portal: Why do vendors ship us junk they wouldn't use?

Jul 05, 2000, 06:57 (17 Talkback[s])
(Other stories by Kurt Seifried)

"This is something I have been thinking about off and on for a while. Why do vendors ship software that they themselves won't use? Most Linux vendors ship the same general packages - Sendmail for SMTP mail services, WuFTPD for FTP, Telnet for remote access and so on. The kicker, though, is that most of these vendors use different software on their servers...."

"Telnet:
This one just makes me angry. Does anyone honestly think that vendors are using Telnet to access their servers and conduct remote administration? OpenSSH is extremely mature and rock solid on Linux - numerous packages are available and many free Windows clients, as well (several Java ones, too). Linux vendors should adopt the OpenBSD policy: OpenSSH is installed and enabled by default, Telnet is installed but not enabled by default."

"It would be a cinch for non-U.S. distributions to include OpenSSH, and U.S.-based distributions could find several easy ways around it (e.g., ftp.redhat.de has up-to-date OpenSSH rpm's for most major releases of Red Hat Linux). If OpenSSH is not available during initial install (the user does not have access to a network, for example) it should be easy to obtain post-install. The OpenSSL and OpenSSH binaries combined are only around 1.1 megabytes; even on a slow dialup link, this download would take no more then 10 minutes (and I do mean a slow dialup link)."

"Telnet is completely broken. It cannot be fixed. Even the use of one-time password schemes still leaves Telnet vulnerable to session hijacking."

Complete Story

Related Stories: