Vendor comments on plan to remove telnet, ftp and eventually appl/bsd

[Sam Hartman]

>>>>> "Russ" == Russ Allbery <rra at stanford.edu> writes:

    Russ> Sam Hartman <hartmans at mit.edu> writes:
    >> OK.  I don't know whether we plan on meeting this requirement;
    >> I rather suspect not.  We'll try to keep command line
    >> compatibility for ftp and telnet, but our assumption is that no
    >> one actually wants to maintain a Kerberos bsd application set
    >> for us to recommend and that we'll be dropping that technology
    >> as soon as there is a viable alternative.

    Russ> The BSD application set, particularly klogind and Kerberized
    Russ> rlogin, are very useful applications because they're
    Russ> extremely simple.  They don't try to do very much, and as
    Russ> such they have a *significantly* better security track
    Russ> record than ssh does.

I tend to agree that they are simpler.  I'm not sure how much of their
security track record has to do with the simplicity and how much has
to do with a lack of critical examination.


    Russ> I'm really hesitant to replace those programs with some
    Russ> other set of applications that try to do more, because that
    Russ> will inevitably mean that there will be more security
    Russ> vulnerabilities.


Noted.  To clarify we don't expect any changes in this regard for the
next release; we're starting the discussion now so we can figure out
if there are other products we should be looking at, or if we need to
examine any of our assumptions.