This is the mail archive of the cygwin-apps mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [ITA] rsh-0.17-3

From: Takashi Yano <takashi dot yano at nifty dot ne dot jp>
To: cygwin-apps at cygwin dot com
Date: Thu, 19 Jul 2018 20:31:50 +0900
Subject: Re: [ITA] rsh-0.17-3
Dkim-filter: OpenDKIM Filter v2.10.3 conssluserg-04.nifty.com w6JBVbwE017293
References: <20180716045535.af47b237719e6c55cd55a9f3@nifty.ne.jp> <87lgabshnb.fsf@Rainer.invalid> <20180716174907.6de89a81b55e404dc62a4e18@nifty.ne.jp> <87h8kzsgbv.fsf@Rainer.invalid> <20180716091644.GB7249@calimero.vinschen.de> <20180716093257.GC7249@calimero.vinschen.de> <b433e196-271a-f61b-01ae-826cfbdacf80@gmail.com> <20180717010613.0cc8eb0fd4b34b197bab74d9@nifty.ne.jp> <20180717082443.GA6137@calimero.vinschen.de>

On Tue, 17 Jul 2018 10:24:43 +0200
Corinna Vinschen wrote:
> On Jul 17 01:06, Takashi Yano wrote:
> > Should not it leaves on users to decide whether to install or not?
> > I think that it is better for users to have a choice.
> 
> I agree.

Thank you for your support.

Since security concerns have been expressed from many people, I would
like to add the following note to the package DESCRIPTION and README:

                           *** CAUTION ***
For security reasons, the use of r-commands is completely discouraged.
Instead, you should seriously consider use of the ssh related tools.
This package is mainly for compatibility.


even though README already says:

---- from here -----
Note that these clients are security nightmares, dating from a time when
the internet was a more innocent place. Not only do rlogin, rsh, and rcp
transmit your username and password unencrypted, but rexec uses .netrc-
style authentication, where your username and password are stored,
unencrypted, in a file in your home directory on every client machine,
and transmits it unencrypted to the server.

It is NOT recommended that you install or use ANY of these utilities
unless you have a VERY good reason.  All of the r* clients may be
replaced by the cryptographically secure ssh client from the cygwin
'openssh' package.

So why is this package present?  Because as insecure and flawed as they
are, the r* tools, servers, and protocols are still in wide use, and
their conspicuous absence from the cygwin distribution would be viewed
as a flaw, not a feature.
----- to here -----

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

References:
- [ITA] rsh-0.17-3
  - From: Takashi Yano
- Re: [ITA] rsh-0.17-3
  - From: Achim Gratz
- Re: [ITA] rsh-0.17-3
  - From: Takashi Yano
- Re: [ITA] rsh-0.17-3
  - From: Achim Gratz
- Re: [ITA] rsh-0.17-3
  - From: Corinna Vinschen
- Re: [ITA] rsh-0.17-3
  - From: Corinna Vinschen
- Re: [ITA] rsh-0.17-3
  - From: cyg Simple
- Re: [ITA] rsh-0.17-3
  - From: Takashi Yano
- Re: [ITA] rsh-0.17-3
  - From: Corinna Vinschen

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]