telnet & ftp official status

Nicolas Williams Nicolas.Williams at
Fri Oct 3 17:29:54 EDT 2008

On Tue, Sep 30, 2008 at 12:00:37PM -0400, Tom Yu wrote:
> A few questions we need to consider are:
> * Who needs these applications, and why?

Not OpenSolaris :)

> * What should be done about the protocol vulnerabilities?

Well, if you distribute the apps, whether directly or indirectly, then
you should fix them.  Better to drop the apps :)

> * What advantages are there compared to SSH?

FTP may perform better than many SFTP/SSHv2 implementations; I'm not
sure.  Other than that I can't think what advantages the MIT krb5 apps
offer over SSHv2.  I don't think such an advantage should be considered
significant -- let the SSHv2 implementors improve their implementations'
performance if that's needed.

> * Should we continue bundling the applications?

I recomment against it.  Spin them off into a separate repository and
invite others to maintain them.  HOWEVER, that's *my* *personal* advice/
opinion.  It is not Sun's opinion as a consortium member, and other
members might strongly oppose such a move.

> The continued presence of these applications in the MIT Kerberos
> source tree raises a number of issues.  These applications, by virtue
> of being login-related applications, present a multitude of
> portability challenges.  Operating system interfaces related to user
> login activities appear to have the some of the largest variations of
> any operating system interfaces.
> Additionally, having the release cycle of these applications tied to
> that of the core MIT Kerberos source code is problematic.  Security
> vulnerabilities discovered in the applications will require an update
> to the krb5 package, due to bundling.  For vendors wishing to track
> only the core Kerberos libraries and utilities, this can create
> difficulties with their change management processes.

This argues for, at the very least, separating the apps from the core.


More information about the krbdev mailing list