[OpenAFS] AFS rsh token passing

Ken Hornstein kenh@cmf.nrl.navy.mil
Mon, 30 Oct 2006 22:13:01 -0500


>What's the best replacement for the old AFS rsh and
>Transarc inetd which does token passing?
>
>I'm using this in a Linux cluster environment so speed is
>fairly important - and I'd prefer something as easy to
>setup as the old rsh.

I use the MIT Kerberos rsh/rshd all of the time.  I'm not sure what
you mean by "speed" ... if you're looking at data transfer rates,
well, I'm not sure which is faster.  If connection time is your
issue, in my experience rsh is faster than openssh, just because
you have less protocol overhead, less crypto to do (it's using
Kerberos crypto instead of doing a DH exchange), and fewer round
trips.  You should experiment and gather your own numbers, of course.
What takes extra time in Kerberized rsh is ticket forwarding and
running aklog or the equivalant on the remote end ... but openssh
has to do those things as well, in addition to everything else it's
doing.  If you have Kerberos working on these hosts already, getting
Kerberized rsh working is pretty much a no brainer.

No doubt some people will consider me "daft", but I have no real
security concerns with Kerberized rsh, or the other Kerberized
r-protocols (I'm talking about the MODERN ones, not the ones in the
MIT 1.1 release era).  We have tons of users using these protocols
over the global Internet, and I don't lose a bit of sleep over this.
In rsh, the remote username and command is cryptographically
checksummed to prevent it from being modified, and if you turn it
on the crypto isn't bad, IMHO (NOT speaking as a cryptographer, you
understand).  I view it as more than good enough to protect against
the threats we're facing on the Internet today.

With any Kerberos 5 solution (rsh or openssh), you're not going to
get the speed of the AFS token-passing rsh ... but from just a security
standpoint if no other, getting rid of token-passing rsh is a really
good idea (as you no doubt know already).

--Ken