From tony@fnal.gov Mon Mar 8 18:47:20 1999 Date: Wed, 09 Dec 1998 18:56:53 -0600 (CST) From: Antonio Wong Chan To: run2farms@fnal.gov Subject: Security issues on prototype farm Hi, Dec. 9, 1998 I noticed that a few protocols such as telnet, imap, gopher, etc were disabled on fnpcc, but not anywhere else. This may be a security loophole, since we at CDF can also access our area via any of the other nodes (i.e., fnpc103). If a hacker gets access to one of the nodes... Would people (FCC, D0, theory, etc) object to disabling the following protocols on the prototype farm or is this not such a big security risk since the farm nodes can only be accessed from on-site computers anyway? telnet gopher imap talk ntalk Cheers, Antonio From rayp@fnal.gov Mon Mar 8 18:47:31 1999 Date: Thu, 10 Dec 1998 08:17:42 -0600 From: Ramon Pasetes To: Antonio Wong Chan , run2farms@fnal.gov Subject: Re: Security issues on prototype farm We can turn off gopher, since I don't think anyone will be using this service. Imap IS off. Before shutting off telnet/rlogin/rsh/rexec, I'd like to have a consensus. Same goes with talk/ntalk. -Ray From marilyn@bastet Mon Mar 8 18:47:42 1999 Date: Thu, 10 Dec 1998 08:43:27 -0600 (CST) From: Marilyn Schweitzer To: run2farms@fnal.gov Subject: Re: Security issues on prototype farm Regarding: > We can turn off gopher, since I don't think anyone will be using this > service. Imap IS off. Before shutting off telnet/rlogin/rsh/rexec, I'd > like to have a consensus. Same goes with talk/ntalk. > > > -Ray I agree with Ray that we need a consenus. I'll try to find a time during a Friday Run II Farms meeting to discuss this. This would be either 1/8/99, 1/22/99 or 2/5/99. I also assume, as previously agreed upon, that access from outside of fnal has been blocked as much as possible via tcp_wrappers. (Our original request was to set this up via datacom, but datacom was reluctant to do so.) Marilyn From rayp@fnal.gov Mon Mar 8 18:47:52 1999 Date: Thu, 10 Dec 1998 08:47:50 -0600 From: Ramon Pasetes To: Marilyn Schweitzer , run2farms@fnal.gov Subject: Re: Security issues on prototype farm Yes, all outside access should be blocked from the farms. However, this is restricted to "tcp" access as the tcp_wrappers won't block udp traffic. >From talking to datacomm, if we can assure them that we will never, ever, ever ask them to allow for outside access again, then they may consider doing this. But, if we are not sure, they would rather not block traffic on their end as it would be quite a bit of work for something that is not definate. -Ray From petravic@fnal.gov Mon Mar 8 18:48:01 1999 Date: Thu, 10 Dec 1998 09:15:54 -0600 (CST) From: "petravick@FNAL.GOV" Reply-To: petravick@fnal.gov To: Ramon Pasetes Cc: Antonio Wong Chan , run2farms@fnal.gov Subject: Re: Security issues on prototype farm I thoght that old CPSA used rexec, but maybe not an issues for run II? -- Don On Thu, 10 Dec 1998, Ramon Pasetes wrote: > Date: Thu, 10 Dec 1998 08:17:42 -0600 > From: Ramon Pasetes > To: Antonio Wong Chan , run2farms@fnal.gov > Subject: Re: Security issues on prototype farm > > We can turn off gopher, since I don't think anyone will be using this > service. Imap IS off. Before shutting off telnet/rlogin/rsh/rexec, I'd > like to have a consensus. Same goes with talk/ntalk. > > > -Ray > > > From ivm@hppc Mon Mar 8 18:48:09 1999 Date: Thu, 10 Dec 1998 09:24:49 -0600 From: Igor Mandrichenko To: tony@fnal.gov Cc: run2farms@fnal.gov Subject: Re: Security issues on prototype farm On Dec 10, 8:43am, Marilyn Schweitzer wrote: > Subject: Re: Security issues on prototype farm > Regarding: > > > We can turn off gopher, since I don't think anyone will be using this > > service. Imap IS off. Before shutting off telnet/rlogin/rsh/rexec, I'd > > like to have a consensus. Same goes with talk/ntalk. > > > > > > -Ray > > I agree with Ray that we need a consenus. I'll try to find a time > during a Friday Run II Farms meeting to discuss this. This would be > either 1/8/99, 1/22/99 or 2/5/99. > > I also assume, as previously agreed upon, that access from outside > of fnal has been blocked as much as possible via tcp_wrappers. (Our > original request was to set this up via datacom, but datacom was > reluctant to do so.) > > > Marilyn I agree, security issues are very important and necessary precautions must be taken to prevent disasters caused by secutiry breaks. However, this is only a prototype farm, which, as far as I know, is not supposed to be used for real production of critical data. The goal of setting it up is to let users and us try it and see how it works. I do not care much about things like gopher or talk, but as for telnet, ftp, r*, they are quite useful for developers, people who support the systems and software, and, I believe, for users as well. If we disable them, effectively, access to the farm will be made more complicated and limited, which is not in the agreement with the goal of the farm's existance. Igor -- Igor Mandrichenko Computing Division Fermi National Accelerator Laboratory E-mail: ivm@fnal.gov From kreymer@fnal.gov Mon Mar 8 18:48:17 1999 Date: Thu, 10 Dec 1998 09:39:53 -0600 (CST) From: Art Kreymer To: run2farms@fnal.gov Subject: Re: Security issues on prototype farm I do not think that it is urgent or perhaps even necessary to disable rsh/rcp/rlogin on the worker nodes. But telnet (and non-anonymous ftp) is an immediate and major security problem. It cannot be used without placing an unencrypted password on the network. I strongly urge that it be disabled on any of the nodes that CDF uses. Part of what we should be testing in the prototype farms is our ability to work in a safe and secure fashion. It is better to learn how to work with these security restrictions now, before we go into production. If we cannot reach a concensus on disabling telnet, then please, voluntarily, refrain from telnetting and ftp'ing. Your password WILL be compromised. From schellma@.MISSING-HOST-NAME. Mon Mar 8 18:48:29 1999 Date: Thu, 10 Dec 1998 12:20:32 -0600 (CST) From: Heidi Schellman To: Igor Mandrichenko Cc: tony@fnal.gov, run2farms@fnal.gov, schellma Subject: Re: Security issues on prototype farm We definitely need ftp. I would appreciate it if someone could describe the replacements for telnet, rsh etc. so that I can tell if I'm giving up functionality or just learning a new name for the same thing. I need something that does what telnet, ftp, rsh etc do. I don't care what I call it. Thanks, Heidi From kreymer@fnal.gov Mon Mar 8 18:48:38 1999 Date: Thu, 10 Dec 1998 12:56:37 -0600 (CST) From: Art Kreymer To: Heidi Schellman Cc: Igor Mandrichenko , tony@fnal.gov, run2farms@fnal.gov Subject: Re: Security issues on prototype farm Old command Secure command telnet slogin rlogin slogin rsh ssh rcp scp ftp scp These are pretty much direct replacements, except that scp is not a direct replacement for ftp. It copies files, but does not list directories, etc. But you can ssh to do that. Now that I've had a few more weeks experience with ssh, and switching the CDF distribution scripts to use it exclusively, I should update my old usage guide in http://www-focus.fnal.gov/dart/ssh.html From tony@fnal.gov Mon Mar 8 18:49:04 1999 Date: Thu, 10 Dec 1998 15:44:39 -0600 (CST) From: Antonio Wong Chan To: Igor Mandrichenko Cc: run2farms@fnal.gov Subject: Re: Security issues on prototype farm > > > We can turn off gopher, since I don't think anyone will be using this > > > service. Imap IS off. Before shutting off telnet/rlogin/rsh/rexec, I'd > > > like to have a consensus. Same goes with talk/ntalk. > > > > > > > > > -Ray > > > > I agree with Ray that we need a consenus. I'll try to find a time > > during a Friday Run II Farms meeting to discuss this. This would be > > either 1/8/99, 1/22/99 or 2/5/99. > > > > I also assume, as previously agreed upon, that access from outside > > of fnal has been blocked as much as possible via tcp_wrappers. (Our > > original request was to set this up via datacom, but datacom was > > reluctant to do so.) > > > > > > Marilyn Yes, I think this issue should be discussed with a wide audience, and I think a run II farms meeting is the appropriate venue. > > I agree, security issues are very important and necessary precautions > must be taken to prevent disasters caused by secutiry breaks. > > However, this is only a prototype farm, which, as far as I know, > is not supposed to be used for real production of critical data. > The goal of setting it up is to > let users and us try it and see how it works. I do not care much about > things like gopher or talk, but as for telnet, ftp, r*, they are quite > useful for developers, people who support the systems and software, and, > I believe, for users as well. If we disable them, effectively, access > to the farm will be made more complicated and limited, which is not > in the agreement with the goal of the farm's existance. > Disabling some protocols such as ftp, telnet, talk, etc should only be done if we can find reasonable (and more secure) alternatives, of course. It seems to me that ssh, slogin, etc are such alternatives. It would be good if we can test the prototype farm in a realistic environment for Run II production, where security will be an important issue. If we start implementing secure protocols, it would also help people get used to them now, instead of later. Cheers, Antonio From ivm@hppc Mon Mar 8 18:49:41 1999 Date: Fri, 11 Dec 1998 08:51:40 -0600 From: Igor Mandrichenko To: Art Kreymer , Heidi Schellman Cc: tony@fnal.gov, run2farms@fnal.gov Subject: Re: Security issues on prototype farm On Dec 10, 12:56pm, Art Kreymer wrote: > Subject: Re: Security issues on prototype farm > Old command Secure command > > telnet slogin > rlogin slogin > rsh ssh > rcp scp > ftp scp > > These are pretty much direct replacements, > except that scp is not a direct replacement for ftp. > It copies files, but does not list directories, etc. > But you can ssh to do that. > > Now that I've had a few more weeks experience with ssh, > and switching the CDF distribution scripts to use it exclusively, > I should update my old usage guide in I would not agree that scp is direct and adequate replacement for ftp or slogin can replace telnet. Igor -- Igor Mandrichenko Computing Division Fermi National Accelerator Laboratory E-mail: ivm@fnal.gov From djholm@fnal.gov Mon Mar 8 18:49:58 1999 Date: Fri, 11 Dec 1998 10:31:19 -0600 (CST) From: Don Holmgren To: Igor Mandrichenko Cc: Art Kreymer , Heidi Schellman , tony@fnal.gov, run2farms@fnal.gov Subject: Re: Security issues on prototype farm Igor, could you elaborate a bit? On SDSS all access to the New Mexico observatory site is now via ssh, and I've found that slogin is essentially identical to telnet, and that scp is a more than adequate replacement for ftp (of course, I prefer any command line tool to a user interface like ftp's). I suppose slogin is inferior to telnet when connecting between disparate OS's, when you want to control interpretation of special characters. Don Holmgren On Fri, 11 Dec 1998, Igor Mandrichenko wrote: > On Dec 10, 12:56pm, Art Kreymer wrote: > > Subject: Re: Security issues on prototype farm > > Old command Secure command > > > > telnet slogin > > rlogin slogin > > rsh ssh > > rcp scp > > ftp scp > > > > These are pretty much direct replacements, > > except that scp is not a direct replacement for ftp. > > It copies files, but does not list directories, etc. > > But you can ssh to do that. > > > > Now that I've had a few more weeks experience with ssh, > > and switching the CDF distribution scripts to use it exclusively, > > I should update my old usage guide in > > I would not agree that scp is direct and adequate replacement for ftp > or slogin can replace telnet. > > Igor > > > > -- > Igor Mandrichenko > Computing Division > Fermi National Accelerator Laboratory > E-mail: ivm@fnal.gov > From schellma@.MISSING-HOST-NAME. Mon Mar 8 18:50:09 1999 Date: Fri, 11 Dec 1998 11:16:37 -0600 (CST) From: Heidi Schellman To: Don Holmgren Cc: Igor Mandrichenko , Art Kreymer , schellma, tony@fnal.gov, run2farms@fnal.gov Subject: Re: Security issues on prototype farm I am currently accessing the farm from an NT machine at Northwestern, would an appropriate workaround be: telnet to local nwu machine, slogin via ssh to fnpcd? Heidi From shepelak@fsui02 Mon Mar 8 18:50:23 1999 Date: Fri, 11 Dec 1998 11:27:36 -0600 From: Karen Shepelak To: Heidi Schellman Cc: Don Holmgren , Igor Mandrichenko , Art Kreymer , tony@fnal.gov, run2farms@fnal.gov, shepelak@fsui02 Subject: Re: Security issues on prototype farm Hi Heidi, Use slogin just like you would telnet. Example: telnet fnpcd slogin fnpcd NOTE: Keep in mind that there are additional options when you use slogin. Options: -l user Log in using this user name. So to log in as user Heidi you would need to type: slogin -l heidi fnpcd Hope this helps, -- Karen Central Systems Support From kreymer@fnal.gov Mon Mar 8 18:50:31 1999 Date: Fri, 11 Dec 1998 11:45:32 -0600 (CST) From: Art Kreymer To: Heidi Schellman Cc: run2farms@fnal.gov Subject: Re: Security issues on prototype farm Yes, the usual workaround for non-ssh telnet's such as Xterminals is to log into the closest available machine, then use ssh to connect to the remote system. A much better approach for NT is to install SSH on NT. I've heard good things about teraterm, a free telnet/SSH client. See http://www.zip.com.au/~roca/ttssh.html and http://hp.vector.co.jp/authors/VA002416/teraterm.html For general use, there is a commercial version, http://www.datafellows.com/f-secure/fclintp.htm From ivm@hppc Mon Mar 8 18:50:39 1999 Date: Fri, 11 Dec 1998 12:20:00 -0600 From: Igor Mandrichenko To: Don Holmgren Cc: Art Kreymer , Heidi Schellman , tony@fnal.gov, run2farms@fnal.gov Subject: Re: Security issues on prototype farm On Dec 11, 10:31am, Don Holmgren wrote: > Subject: Re: Security issues on prototype farm > > Igor, could you elaborate a bit? On SDSS all access to the New Mexico > observatory site is now via ssh, and I've found that slogin is essentially > identical to telnet, and that scp is a more than adequate replacement > for ftp (of course, I prefer any command line tool to a user interface > like ftp's). I suppose slogin is inferior to telnet when connecting > between disparate OS's, when you want to control interpretation of special > characters. > > Don Holmgren I do not know how to create session log file with slogin. Do you ? Some implementations of telnet client allow you to do that. With telnet, you can spawn a subshell. Can you do that with slogin ? Slogin's behavour is affected by a bunch of config files on both nodes, which is not the case for telnet. Telnet exists everywhere and you do not have to think much before typing "telnet myhost". With ftp you can get directory listing, type something like "mget 12*1998.log". Can you tell me what is scp equivalent for this ? I used to work for a company where management was so much concerned about network security, that they did not trust even firewall equipment they bought (this mistrust was NOT based on any real events, by the way!), so they decided that the only possible way to guard their computers from intruders is to *physically* disconnect them (computers, of course (well, they wished they new how to disconnect intruders...)) from the network. And I agree with them, by the way. The only question is how much you lose by - having secutiry measures in place and - not having them in place if prohibition of telnet, ftp and others outweighs anticipated losses caused by keeping them in place, then they should stay. Igor -- Igor Mandrichenko Computing Division Fermi National Accelerator Laboratory E-mail: ivm@fnal.gov From terekhov@fndaub Mon Mar 8 18:51:29 1999 Date: Fri, 11 Dec 1998 13:01:15 -0600 (CST) From: Igor Terekhov To: Don Holmgren Cc: run2farms@fnal.gov Subject: Re: Security issues on prototype farm Dear Don, I just wanted to add a couple of words to Igor's comment: > With ftp you can get directory listing, type something like "mget 12*1998.log > Can you tell me what is scp equivalent for this ? I know that you also know about two more things for efficient copying of many files in the insecure (non-ssh) world. 1) The ftp's mget command allows you to get an entire directory (or several directories if my memory doesn't fail me), like "mget bin etc lib", albeit non-recursively. 2) There's a wonderful command, rdist, that uses rcmd/rsh to copy entire file system branches. IMHO if you want that ease of copying, you need to make sure there's a secure equivalent. Otherwise, you may have to write home-grown scripts to do such copying. But of course, I don't know how important that is. Igor Terekhov From djholm@fnal.gov Mon Mar 8 18:51:39 1999 Date: Fri, 11 Dec 1998 13:19:05 -0600 (CST) From: Don Holmgren To: Igor Mandrichenko Cc: Art Kreymer , Heidi Schellman , tony@fnal.gov, run2farms@fnal.gov Subject: Re: Security issues on prototype farm Sorry, perhaps I sounded too harsh. My point was meant to be that I had been forced to switch over to ssh-tools to do my work on SDSS because of serious security incidents at the remote site, and that I had found slogin and scp to be usable. I really am curious about any serious deficiences that others have found when they are forced to use slogin and scp. Perhaps what you've asked about are serious deficiences. In case anyone wants the answers to the specific questions, read on. Anything further I'll take offline. On Fri, 11 Dec 1998, Igor Mandrichenko wrote: > On Dec 11, 10:31am, Don Holmgren wrote: > > Subject: Re: Security issues on prototype farm > > > > Igor, could you elaborate a bit? On SDSS all access to the New Mexico > > observatory site is now via ssh, and I've found that slogin is essentially > > identical to telnet, and that scp is a more than adequate replacement > > for ftp (of course, I prefer any command line tool to a user interface > > like ftp's). I suppose slogin is inferior to telnet when connecting > > between disparate OS's, when you want to control interpretation of special > > characters. > > > > Don Holmgren > > I do not know how to create session log file with slogin. Do you ? > Some implementations of telnet client allow you to do that. Sure, though not within slogin. Simply script my.session.log.file; slogin target_host to log locally, or slogin target_host target_host% script my.session.log.file to log on the remote host. There's nothing equivalent, though, to "netdata", "prettydump", and the like, though I've only ever used those to debug all the complex negotiations that telnet does. > > With telnet, you can spawn a subshell. Can you do that with slogin ? > No, and indeed that's a drawback on, say, a serial line. On an X-term, why do I care? If I really need to do this, I can simply: telnet localhost % we can safely leave this enabled slogin target_host then, hitting the telnet escape feature you can get to the telnet> prompt and do things like subshells. > Slogin's behavour is affected by a bunch of config files on both nodes, > which is not the case for telnet. Telnet's behavior is affected by a bunch of configuration options used in the build process on both nodes. > > Telnet exists everywhere and you do not have to think much before typing > "telnet myhost". slogin reverts to rsh if sshd isn't running: lrep:~$ slogin acpr5 Secure connection to acpr5 refused; reverting to insecure method. Using rsh. WARNING: Connection will not be encrypted. Password: Last login: Fri Dec 11 12:54:32 from lrep Yes, telnet is somewhat more likely to be available than rshell servers. > > With ftp you can get directory listing, type something like "mget 12*1998.log". > Can you tell me what is scp equivalent for this ? Sure. Use ssh to get a directory listing: ssh target_host 'cd /pub/dir; ls -l' Use scp to get a set of files: scp target_host:'12*1998.log' (yes indeed, wildcards work, just like in rcp. I don't know of an option, though, to answer yes/no to individual files.) > > I used to work for a company where management was so much concerned about > network security, that they did not trust even firewall equipment they > bought (this mistrust was NOT based on any real events, by the way!), > so they decided that the only possible way to guard their computers > from intruders is to *physically* disconnect them (computers, of course > (well, they wished they new how to disconnect intruders...)) > from the network. And I agree with them, by the way. > > The only question is how much you lose by > > - having secutiry measures in place and > - not having them in place > > if prohibition of telnet, ftp and others outweighs anticipated losses > caused by keeping them in place, then they should stay. > > Igor > > > -- > Igor Mandrichenko > Computing Division > Fermi National Accelerator Laboratory > E-mail: ivm@fnal.gov > Unfortunately, our mistrust is based upon real experiences are significant blocks of effort by various site adminstrators after breakins. I was also very resistant to changing over to ssh tools. But, after a little use the pain went away. Don Holmgren From rayp@fnal.gov Mon Mar 8 18:51:47 1999 Date: Fri, 11 Dec 1998 13:23:59 -0600 From: Ramon Pasetes To: Igor Terekhov , Don Holmgren Cc: run2farms@fnal.gov Subject: Re: Security issues on prototype farm Hi Igor, > 2) There's a wonderful command, rdist, that uses rcmd/rsh to copy entire > file system branches. We can get around this somewhat. There is an rdist that works with the normal rdist or can use ssh. We have it installed on fnalu. I don't think it is compiled for Linux, but if this is the way we are going... Also, if you know ahead of time what directory you need to copy, you can use a combination of ssh, tar and pipes to get what you want. This isn't much help if you need to interactively browse before copying, however. example: ssh "(cd ; tar cf - .)" | tar xvBpf - -Ray From kreymer@fnal.gov Mon Mar 8 18:51:53 1999 Date: Fri, 11 Dec 1998 13:27:17 -0600 (CST) From: Art Kreymer To: run2farms@fnal.gov Subject: Re: Security issues on prototype farm For logging sessions, use script . scp honors wild cards. For example, scp cdfsga:'init/pull*' . scp -r gets an entire recursive directory tree rdist can be used securely by linking the 'r' commands to the 's' commands. (but we are not using rdist on farm worker nodes.) From djholm@fnal.gov Mon Mar 8 18:51:59 1999 Date: Fri, 11 Dec 1998 13:29:55 -0600 (CST) From: Don Holmgren To: Igor Terekhov Cc: run2farms@fnal.gov Subject: Re: Security issues on prototype farm OK, sorry to the list, but in case anyone wants to know these answers as well: On Fri, 11 Dec 1998, Igor Terekhov wrote: > > Dear Don, > > I just wanted to add a couple of words to Igor's comment: > > > With ftp you can get directory listing, type something like "mget > 12*1998.log > > Can you tell me what is scp equivalent for this ? > > I know that you also know about two more things for efficient > copying of many files in the insecure (non-ssh) world. > > 1) The ftp's mget command allows you to get an entire directory > (or several directories if my memory doesn't fail me), like "mget bin etc > lib", albeit non-recursively. The equivalent with scp is scp -r target_host:{bin,etc,lib} where '-r' asks for recursion. The {} syntax is standard glob (or shell?) syntax, I believe. > > 2) There's a wonderful command, rdist, that uses rcmd/rsh to copy entire > file system branches. > rdist is very nice for synchronizing branches, particularly when you only need to move a few files which are different. For moving an entire tree, I do: (ssh target_host 'cd /the_dir; tar -cf - .') | \ (cd /my_dir; tar --preserve --same-owner -xf -) All the standard UNIX tricks you can think of doing with rsh work with ssh. > IMHO if you want that ease of copying, you need to make sure there's a > secure equivalent. Otherwise, you may have to write home-grown scripts to > do such copying. But of course, I don't know how important that is. > > Igor Terekhov > > Agreed. From petravic@fnal.gov Mon Mar 8 18:53:43 1999 Date: Mon, 14 Dec 1998 10:35:56 -0600 (CST) From: "petravick@FNAL.GOV" Reply-To: petravick@fnal.gov To: Don Holmgren Cc: Igor Mandrichenko , Art Kreymer , Heidi Schellman , tony@fnal.gov, run2farms@fnal.gov Subject: Re: Security issues on prototype farm Well, Here's what _i_ think the point is. FOr construction RUn II applcaitons, we have no baseline security model to adhere to. People are left to make up their own minds and wqill come to differnet conclusions. All that I have really ever heard that was coherenet was "IF you use ssh, your password will not be snuiffed over a WAN" THis is not offcial and not comprehensive at all. I waish thateh there was some Run II statement on the requirements. -- DOn On Fri, 11 Dec 1998, Don Holmgren wrote: > Date: Fri, 11 Dec 1998 13:19:05 -0600 (CST) > From: Don Holmgren > To: Igor Mandrichenko > Cc: Art Kreymer , Heidi Schellman , > tony@fnal.gov, run2farms@fnal.gov > Subject: Re: Security issues on prototype farm > > > > Sorry, perhaps I sounded too harsh. My point was meant to be that > I had been forced to switch over to ssh-tools to do my work on SDSS > because of serious security incidents at the remote site, and that > I had found slogin and scp to be usable. I really am curious about > any serious deficiences that others have found when they are forced > to use slogin and scp. Perhaps what you've asked about are serious > deficiences. > > In case anyone wants the answers to the specific questions, read on. > Anything further I'll take offline. > > > > > On Fri, 11 Dec 1998, Igor Mandrichenko wrote: > > > On Dec 11, 10:31am, Don Holmgren wrote: > > > Subject: Re: Security issues on prototype farm > > > > > > Igor, could you elaborate a bit? On SDSS all access to the New Mexico > > > observatory site is now via ssh, and I've found that slogin is essentially > > > identical to telnet, and that scp is a more than adequate replacement > > > for ftp (of course, I prefer any command line tool to a user interface > > > like ftp's). I suppose slogin is inferior to telnet when connecting > > > between disparate OS's, when you want to control interpretation of special > > > characters. > > > > > > Don Holmgren > > > > I do not know how to create session log file with slogin. Do you ? > > Some implementations of telnet client allow you to do that. > > Sure, though not within slogin. Simply > > script my.session.log.file; slogin target_host > > to log locally, or > > slogin target_host > target_host% script my.session.log.file > > to log on the remote host. There's nothing equivalent, though, to > "netdata", "prettydump", and the like, though I've only ever used those > to debug all the complex negotiations that telnet does. > > > > > With telnet, you can spawn a subshell. Can you do that with slogin ? > > > > No, and indeed that's a drawback on, say, a serial line. On an X-term, > why do I care? If I really need to do this, I can simply: > > telnet localhost % we can safely leave this enabled > slogin target_host > > then, hitting the telnet escape feature you can get to the telnet> prompt > and do things like subshells. > > > > Slogin's behavour is affected by a bunch of config files on both nodes, > > which is not the case for telnet. > > Telnet's behavior is affected by a bunch of configuration options > used in the build process on both nodes. > > > > > Telnet exists everywhere and you do not have to think much before typing > > "telnet myhost". > > slogin reverts to rsh if sshd isn't running: > > lrep:~$ slogin acpr5 > Secure connection to acpr5 refused; reverting to insecure method. > Using rsh. WARNING: Connection will not be encrypted. > Password: > Last login: Fri Dec 11 12:54:32 from lrep > > Yes, telnet is somewhat more likely to be available than rshell servers. > > > > > With ftp you can get directory listing, type something like "mget 12*1998.log". > > Can you tell me what is scp equivalent for this ? > > Sure. Use ssh to get a directory listing: > > ssh target_host 'cd /pub/dir; ls -l' > > Use scp to get a set of files: > > scp target_host:'12*1998.log' > > (yes indeed, wildcards work, just like in rcp. I don't know of an option, > though, to answer yes/no to individual files.) > > > > > I used to work for a company where management was so much concerned about > > network security, that they did not trust even firewall equipment they > > bought (this mistrust was NOT based on any real events, by the way!), > > so they decided that the only possible way to guard their computers > > from intruders is to *physically* disconnect them (computers, of course > > (well, they wished they new how to disconnect intruders...)) > > from the network. And I agree with them, by the way. > > > > The only question is how much you lose by > > > > - having secutiry measures in place and > > - not having them in place > > > > if prohibition of telnet, ftp and others outweighs anticipated losses > > caused by keeping them in place, then they should stay. > > > > Igor > > > > > > -- > > Igor Mandrichenko > > Computing Division > > Fermi National Accelerator Laboratory > > E-mail: ivm@fnal.gov > > > > Unfortunately, our mistrust is based upon real experiences are significant > blocks of effort by various site adminstrators after breakins. > > I was also very resistant to changing over to ssh tools. But, after a > little use the pain went away. > > Don Holmgren > From schellma@.MISSING-HOST-NAME. Mon Mar 8 18:53:53 1999 Date: Mon, 14 Dec 1998 10:44:06 -0600 (CST) From: Heidi Schellman To: petravick@fnal.gov Cc: Don Holmgren , Igor Mandrichenko , Art Kreymer , schellma, tony@fnal.gov, run2farms@fnal.gov Subject: Re: Security issues on prototype farm By the way guys, this whole discussion is accessible from the web by anyone because RunIIfarms has a news archive. Maybe we need a separate list for security issues?