[ITA] rsh-0.17-3

Takashi Yano takashi.yano@nifty.ne.jp
Thu Jul 19 11:32:00 GMT 2018

On Tue, 17 Jul 2018 10:24:43 +0200
Corinna Vinschen wrote:
> On Jul 17 01:06, Takashi Yano wrote:
> > Should not it leaves on users to decide whether to install or not?
> > I think that it is better for users to have a choice.
> I agree.

Thank you for your support.

Since security concerns have been expressed from many people, I would
like to add the following note to the package DESCRIPTION and README:

                           *** CAUTION ***
For security reasons, the use of r-commands is completely discouraged.
Instead, you should seriously consider use of the ssh related tools.
This package is mainly for compatibility.

even though README already says:

---- from here -----
Note that these clients are security nightmares, dating from a time when
the internet was a more innocent place. Not only do rlogin, rsh, and rcp
transmit your username and password unencrypted, but rexec uses .netrc-
style authentication, where your username and password are stored,
unencrypted, in a file in your home directory on every client machine,
and transmits it unencrypted to the server.

It is NOT recommended that you install or use ANY of these utilities
unless you have a VERY good reason.  All of the r* clients may be
replaced by the cryptographically secure ssh client from the cygwin
'openssh' package.

So why is this package present?  Because as insecure and flawed as they
are, the r* tools, servers, and protocols are still in wide use, and
their conspicuous absence from the cygwin distribution would be viewed
as a flaw, not a feature.
----- to here -----

Takashi Yano <takashi.yano@nifty.ne.jp>

More information about the Cygwin-apps mailing list