From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 13091 invoked by alias); 19 Jul 2018 11:32:05 -0000 Mailing-List: contact cygwin-apps-help@cygwin.com; run by ezmlm Precedence: bulk Sender: cygwin-apps-owner@cygwin.com List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Mail-Followup-To: cygwin-apps@cygwin.com Received: (qmail 13079 invoked by uid 89); 19 Jul 2018 11:32:04 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-6.0 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_2,KAM_NUMSUBJECT,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=VERY, protocols, username, seriously X-HELO: conssluserg-04.nifty.com Received: from conssluserg-04.nifty.com (HELO conssluserg-04.nifty.com) (210.131.2.83) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 19 Jul 2018 11:32:02 +0000 Received: from Express5800-S70 (ntsitm315127.sitm.nt.ngn.ppp.infoweb.ne.jp [125.3.30.127]) (authenticated) by conssluserg-04.nifty.com with ESMTP id w6JBVbwE017293 for ; Thu, 19 Jul 2018 20:31:37 +0900 DKIM-Filter: OpenDKIM Filter v2.10.3 conssluserg-04.nifty.com w6JBVbwE017293 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nifty.ne.jp; s=dec2015msa; t=1531999897; bh=n6V2syGSN/8XTpZdkM4nNK/WCpdxg5fvBOpZVE3aNho=; h=Date:From:To:Subject:In-Reply-To:References:From; b=stdcJmpgszrgGMRPoIqd6c1xtjhlhiq8Ryd06rAfTyokvrjBTELNdbNIE0vV6D750 J+Xgb2+F2gUebYNnifBb4qKb5LHy5LSs8tj3b2gp+5GBhnfSOIScDmRBTBvh1tykv7 n5fcMkrYQgM9l2RQNmyelJjqlfrddAjQRhwi08amAKSF0Fqbiql9fCRHNLr0cVHgsg K8ummrxlflM0JAfQFmgmUJgyR0tYu2vIRyur4yy9KQbGKTqklChYiDhKGYSEtDutN8 DWBlbulWWE7R0X7T+IgdyQVY9DTEg9l/0WNrLXxKMWEJpM1zM1yjL0ouANOWt18PW0 C7X0VycjdwVlQ== Date: Thu, 19 Jul 2018 11:32:00 -0000 From: Takashi Yano To: cygwin-apps@cygwin.com Subject: Re: [ITA] rsh-0.17-3 Message-Id: <20180719203150.7e0e064dd21ef1f1f21f1114@nifty.ne.jp> In-Reply-To: <20180717082443.GA6137@calimero.vinschen.de> References: <20180716045535.af47b237719e6c55cd55a9f3@nifty.ne.jp> <87lgabshnb.fsf@Rainer.invalid> <20180716174907.6de89a81b55e404dc62a4e18@nifty.ne.jp> <87h8kzsgbv.fsf@Rainer.invalid> <20180716091644.GB7249@calimero.vinschen.de> <20180716093257.GC7249@calimero.vinschen.de> <20180717010613.0cc8eb0fd4b34b197bab74d9@nifty.ne.jp> <20180717082443.GA6137@calimero.vinschen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2018-07/txt/msg00071.txt.bz2 On Tue, 17 Jul 2018 10:24:43 +0200 Corinna Vinschen wrote: > On Jul 17 01:06, Takashi Yano wrote: > > Should not it leaves on users to decide whether to install or not? > > I think that it is better for users to have a choice. > > I agree. Thank you for your support. Since security concerns have been expressed from many people, I would like to add the following note to the package DESCRIPTION and README: *** CAUTION *** For security reasons, the use of r-commands is completely discouraged. Instead, you should seriously consider use of the ssh related tools. This package is mainly for compatibility. even though README already says: ---- from here ----- Note that these clients are security nightmares, dating from a time when the internet was a more innocent place. Not only do rlogin, rsh, and rcp transmit your username and password unencrypted, but rexec uses .netrc- style authentication, where your username and password are stored, unencrypted, in a file in your home directory on every client machine, and transmits it unencrypted to the server. It is NOT recommended that you install or use ANY of these utilities unless you have a VERY good reason. All of the r* clients may be replaced by the cryptographically secure ssh client from the cygwin 'openssh' package. So why is this package present? Because as insecure and flawed as they are, the r* tools, servers, and protocols are still in wide use, and their conspicuous absence from the cygwin distribution would be viewed as a flaw, not a feature. ----- to here ----- -- Takashi Yano