[OpenAFS-devel] How can I use rsh to connect with AFS

Ken Hornstein kenh@cmf.nrl.navy.mil
Tue, 15 Jan 2002 16:22:07 -0500


>Is your hesitance to use these utilities simply because they are as
>insecure as the standard r* utils, or are they particularly more insecure
>in some way?  I thought someone had mentioned a while back that they
>hadn't been maintained, and were probably riddled with buffer overflows
>(like the ftpd-glob thing last year).

It's not obvious until you look at them closely, but they pass over the
secret information stored in every token (the session key) in the clear
so an eavsdropper could get all of the information they would need to
construct a valid token (which would only be good for the lifetime of
the token, but still ...)

That's the "insecure" part about them.  Mind you, we used to use them
until we switched over to V5, but I understood the risks and was willing
to take them as part of the migration process (it wasn't worse than
anything else we were doing at the time).

--Ken