On 14 Feb 2008, at 7:45 pm, Robert G. Brown wrote:
What the openssh people don't seem to "get" is that by FORCING
people to
use encryption, they are actually keeping rsh alive and a potential
security risk for all sorts of people in the cluster business for whom
performance is more important than security given their networking
environment and goals. Otherwise, who would ever install it?
Hear, hear. The openssh folks aren't alone in this; it's a common
ailment afflicting authors of "security" software. They think they
know better than the sysadmin. It's for your own good, now take your
medicine. Personally, I'm with you - give the sysadmin the choice.
I've had similar arguments in the past with the author of rssh, a
restricted shell useful for cvs servers and the like. He refused to
add support for allowing the user to change their password, because
his view was that password authentication is evil and all users should
be forced to use key authentication at all times. Oh great, so now I
have users who ssh in using a private key for authentication over
which I have no control - I have no idea whether it's held securely,
whether it has a decent passphrase, or anything. At least if they
were using passwords I could periodically run a cracker on the passwd
file and check their password is sane. It's a similar scenario. The
authors' high and mighty principles don't actually necessarily make my
systems any more secure at all, quite possibly the reverse. Quite
apart from the extra workload it puts on me. The average scientist
doesn't really want to have to learn about ssh-agent and all that stuff.
Tim
--
The Wellcome Trust Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.
_______________________________________________
Beowulf mailing list, Beowulf@beowulf.org
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
