Vendor comments on plan to remove telnet, ftp and eventually appl/bsd
rra at stanford.edu
Mon Jul 22 21:04:01 EDT 2002
Jeffrey Altman <jaltman at columbia.edu> writes:
>> I think there's been... one? None? klogind advisories over the same
>> period of time that has seen at least five serious remotely-exploitable
>> sshd holes.
>> Whether that's because fewer people care or because the program is
>> simpler, I have no idea, and frankly don't particularly care. It
>> translates into fewer exploits.
> The same could be said of telnet. Its simpler and has less
> functionality. Therefore, it should be easier to secure.
True, although telnet option negotiation makes it more complex than
klogind, and again this is reflected in the number of security advisories:
I remember at least one remote hole in the Kerberos telnetd, and I'm still
having a hard time remembering any klogind holes, at least recently.
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev