telnet & ftp official status
Nicolas.Williams at sun.com
Fri Oct 3 17:29:54 EDT 2008
On Tue, Sep 30, 2008 at 12:00:37PM -0400, Tom Yu wrote:
> A few questions we need to consider are:
> * Who needs these applications, and why?
Not OpenSolaris :)
> * What should be done about the protocol vulnerabilities?
Well, if you distribute the apps, whether directly or indirectly, then
you should fix them. Better to drop the apps :)
> * What advantages are there compared to SSH?
FTP may perform better than many SFTP/SSHv2 implementations; I'm not
sure. Other than that I can't think what advantages the MIT krb5 apps
offer over SSHv2. I don't think such an advantage should be considered
significant -- let the SSHv2 implementors improve their implementations'
performance if that's needed.
> * Should we continue bundling the applications?
I recomment against it. Spin them off into a separate repository and
invite others to maintain them. HOWEVER, that's *my* *personal* advice/
opinion. It is not Sun's opinion as a consortium member, and other
members might strongly oppose such a move.
> The continued presence of these applications in the MIT Kerberos
> source tree raises a number of issues. These applications, by virtue
> of being login-related applications, present a multitude of
> portability challenges. Operating system interfaces related to user
> login activities appear to have the some of the largest variations of
> any operating system interfaces.
> Additionally, having the release cycle of these applications tied to
> that of the core MIT Kerberos source code is problematic. Security
> vulnerabilities discovered in the applications will require an update
> to the krb5 package, due to bundling. For vendors wishing to track
> only the core Kerberos libraries and utilities, this can create
> difficulties with their change management processes.
This argues for, at the very least, separating the apps from the core.
More information about the krbdev