Slashdot Mirror
r* Programs Being Removed from OpenBSD -current
moonboy writes: "This post over at OpenBSD Journal tells of the r* programs (rsh, rlogin, rcopy, etc) being removed from the -current tree. Can Telnet and FTP be far behind? I say good riddance."
← Back to Stories (view on slashdot.org)
Removing redundant, unnecessary, and potentially dangerous programs from the distro is a really good idea.
Creating the symlinks just adds complexity to a system that doesn't need it.
I have been pwned because my
What the fuck is this play by play?
An Education is the Font of All Liberty
No matter the good the bad or the ugly of this move I can say only one thing.... I fear change.
BSD seems to be taking the necesary steps to reduce needless and mostly unused programs. Something linux distro's should also try doing.
--- its to bad about the monkey, I kinda liked them
But, better late than never, I s'pose.
Karma: Good (despite my invention of the Karma: sig)
hmm, im not very familier with bsd and darwin developments, but i wonder if apple will follow suit.
i just checked my 10.2.4 and it has rlogin, and perl. Perl is quite usefull, but i agree it shouldnt be part of a default install. the rtools are a big risk, and rightly should be gotten rid of. with ssh and secure versions of most of these r tools, there existance is moot.
Apple prides itself on the power of unix, simplicity of a mac, and i think it works great. (havent touched my pc in weeks) but i question if a desktop os really needs the rtools.
I believe something has eluded the 'BSD is dying crowd' and the 'Perl is winbest' crowd.
:D
For starters, BSD is not dying in my eyes. Linux is great, I love it, but it is seriously bloated. 'But seraphim,' you say, 'you are a fag man for thinking these thingz.' I have recently bought SuSE 8.0 Pro. It is terribly bloated. Its really good for a desktop machine, but for a down and dirty linux box, its just not there. I have also used Redhat 7.0-7.2. They are extremely bloated as well. Not quite to the M$ extreme, but still dangerous. Slackware is the only linux I have used that gets me feeling that I am involved in the console and that its working with me, rather than me forcing it to do things. BSD is a down and dirty OS. Its great for just digging your teeth in and tearing into. It is not your fancy pants linux distro or desktop GUI OS (i leave that up to my new iMac
And on the issue of Perl. Perl is not being taken out of FreeBSD. It has not been rebuked by the FreeBSD staff and shunned to the 9th circle of hell. It is, however, not included into the base install. Saving, around 40mb, i believe. Now you say 'You silly fagtrot, thats not that much.' Well, yes and no. Yes it isnt a lot when you are running BSD on a AMD 2100XP with a 80g hard drive. I , however, run my BSD on a 486 with a 800mb hard drive. Space is key to me. If i want to install perl, i simply say, 'Hey there BSD, install me some perl.' Otherwise i dont really need it.
Hopefully this will clear some things up.
But he was unmoved, and cried: "If I am mad, it is mercy! May the gods pity the man who in his callousness can remain sa
I find it rather humorous that posts in recent BSD discussions never get a score above 2.
Where are all the Insightful, Informative comments? Are all the bright people are waiting to see what BSD does before commenting? So even the egg heads amongst us aren't sure about BSDs latest happenings.
Brad.
FTP: Useful for downloading the latest and greatest. Easily setup from packages if needed (special purpose). See you later, maybe.
RSH: Haven't used it in years. Good bye.
Telnet: Client useful for accessing networking equipment in a secure environment. Haven't run the daemon on my boxes in years. Good bye.
This is a good day for security...
At first when I read this I was a little against it, now that I thought about it I am all for it, too many people just leave services open and get hacked. So the less that is loaded the less that can be hacked.
If you want FTP, download the latest version of ProFTPd or Wu-FTPd and load those, same with Apache.
vegetablespork sez...
. . . that *BSD is dying. BTW, f-ir-st!
I heard sporks and anonymous cowards were dying, something to do with bsd users who finally couldn't take the idiocy...
...and this lie crawls out of its mouth: 'I, the state, am the people.'
Aha, or in geek language.
p erl&!pussy);e arls&pussy);
swith( person )
{
case geek():
if(use_FreeBSD()){
return(import_beer&!
} trow linux_luser;
case jock():
if(get_pussy()){
return(domestic_beer&p
}else{
return( import_beer & covette & pussy );
}}
No one in their right mind would use one of the
r* tools or telnet to access a box across the
internet. However , for internal connections withing a large organisation they are *vital*.
Anyone who has worked in a large unix shop (I work in a multinational bank) knows that rlogin
and telnet are used all the time to access the various servers over the LAN and VPN , rsh is also
used to do a shell script type of RPC. Getting rid of these tools demonstrates what I've always
thought about OpenBSD , its just a toy to amuse
Theo thats not really aiming at the high end market but rather just as a web server or other
ISP type role. Fine , if thats what they want but
it'll hardly make much difference as their user base is so small it hardly registers anyway.
Bye bye OpenBSD.
Pot, kettle . . .
Call (206) 338-5780 COLLECT for information about a genuine BA, BS, MA, MS, MBA, or Ph.D.
I doubt anyone smart enough to install and run OpenBSD is going to be stupid enough to run the r suite of utilities.
But I have to pause in remembrance, because, after all, they are the Berkeley r-suite.
I used them for many years, alongside telnet and ftp, back in the 1980's when 4.2BSD was distributed with my computer. Anyone remember doing tilde escapes to pop back to the local machine?
Even though their security model is insufficient in this present day and age, they really helped to pave the way in showing how remote computers could be accessed in a convenient and powerful way.
It's fitting that a BSD will be the first to retire this venerable set of programs.
R.I.P., r-suite.
"Provided by the management for your protection."
Elegant tools for a more civilized age.
Its about time that these tools be phased out -- the services have been shut off (by default) in just about every *nix distribution on the market over the last decade. Someone needs to pioneer killing them -- and a strip-down default install like OpenBSD seems to be the appropriate place to do that.
There's a number of "what about me" folks out there -- who have some mitigating circumstance to need those tools (see here). It seems that these folks are just speaking out to hear themselves speak. Its not like these services are being excluded from the ports tree. Even if they were, you can still grab the source and build it yourself -- hell, there are still binary packages out there that you can just build.
Lastly, as stated in the thread here, its just the servers that are getting the axe, the clients stay...so all of the valuable tools (telnet, rlogin, etc) aren't going away.
-Turkey
-Turkey
It's about time.
I'm an OpenBSD user, and a Perl advocate. I love Perl, but not everyone does. Not everyone needs it, just like not everyone needs Python or tcl/tk.
OpenBSD is the closest thing I've seen to an operating system in a long time. When I install an OS, I want to chose what to turn on, not hope I turned off everything I didn't need. I want to know dozens of eyes have done their best to be sure the OS is secure.
The ports collection is far better than any package management tool I've used (Sun pkgadd, Linux RPM). Not only is it good, but OpenBSD's is the best of any BSD I've used (Free and Net) because it's clean. There is only a tiny chance a port you try and build won't work (::leering at FreeBSD::) and it's so easy that I don't mind doing a make;make install to get Perl.
All that said, Theo's recent rant about r* utils makes perfect sense. Get rid of it!
And while we're at it, toss telnet out with the bathwater. Anyone who isn't using ssh to connect to a remote machine is *begging* to get owned. The only way some people are going to use secure tools is if we force them to. I know at work until I turn telnet off people will use that over ssh because it's familiar, because they don't want to upgrade the 100 year old version of QVTTerm they have.
As for FTP - don't let the door hit you in the ass on the way out. I've been using scp for so long I get physically ill when I see this:
ftp>
Yeah it works, but it's a gaping hole. If people want it, fine, but build the daemon you want from the ports collection. The idea of inetd housing all these "critical" services is just an invite to get owned.
I'm not a huge security nut (my boss won't use a grocery store card because his "marketing data is worth more than what they give me"), but in the battle for securie systems, we are losing! Servers here at work are breeding like rabbits, and everyone is not as savy as you and I. We need to do whatever we can to nudge them in the right direction, not just for their own sake, but for everyones sake.
"All I ever wanted was to see Larry Wall give Bill Gates a Perl necklace."
http://www.eisenschmidt.org/jweisen
Ok... I can see the point, and certainly I would prefer not to use telnetd or ftpd...
But, we've got a lot of users right now using them to access our boxes, because my predecessor didn't see the need for SSH. Not that SSH didn't have its own holes several years ago... but, anyways,
it now means going to each users desk (excuse me, but have you dealt with *users*?? Instructions? Oh, by that point you may as well just go do it yourself, or walk 1000 users through it on the phone one by one).
And, people time = money... or so management seems to keep telling us as we try to hire help (an open req) for our department... and we are already swamped.
So, yes.. eventually I will get everyone on SSH, a few at a time. But it ain't gonna happen overnight. Unless you want to foot the bill, that is... we have a hard enough time getting money out of management to replace our friggin P166 intranet server (NES 3.0) -- its not "important".
Not sure what universe you live in but you need to keep up on patches on any OS you use, whether it is OpenBSD/Solaris/Linux/Winblows etc etc etc. Granted most Unices don't need the level of patching that a Winblows box needs but it is a good admin who keeps his/her eyes open for issues that need to be resolved. But if that isn't your method for admining would you mind posting the IP's for boxes you manage, I need something to root ;)
Reading the comments I realize I should be glad I chose
NetBSD instead of OpenBSD when looking for an OS for
my kick-ass Sun IPC (yes, I still use it). I could have
ended up like those people who were writing in comments
that consist nothing but flaming others or worse, end up
like Theo (uggh). Well, OpenBSD is nice for some, but
not me. NetBSD Forever!
I use telnet more often than I use ssh.
Ssh - I use for connecting to other machines.
Telnet - I use for testing webservers, mail servers, news servers, testing whether ssh servers are alive and what version they're running, etc etc.
Just because the telnet DAEMON is undesirable doesn't mean the client is so too.
Slashdot? Oh, I just read it for the articles.
Removing rlogin, rsh, and rcmd is certianly a lot easier than fixing them to work with Kerberos V (the OpenBSD versions don't, er, didn't).
In any case, with or without Kerberos they are still appropriate tools in many situations.
Given that, can anybody here actually provide good reasons for removing these tools, other than: "protect dim-witted users from themselves?", or "publicity stunt?".
...that they remove "rm" last.
Liberty uber alles.
Neitzsche? Nope - he doesn't exist in any of my history books.
We do not live in the 21st century. We live in the 20 second century.
So if your network is compromised then you get to watch as passwords are grabbed and machines are compromised. Great company. I won't be banking there.
I work for a large bank, it's probably the biggest one in the US, and not only are these things discouraged, but people lose their jobs if they don't remove them after they have been told to.
As for openbsd, or any os for that matter, being a toy to amuse....a tool is a tool, it does not decide how it is used.
Let us try to separate the security matters.
A protocol can be insecure - say if it provides no reliable means of authentication, or if it transmits all information in clear text.
Implementations of a secure protocol can be insecure - that is, buggy -, and implementations of insecure protocols can do their best not to add any insecurity.
BSD is not dead, nor is it dying.
The r-tools are insecure protocols, since they transfer sensible information in clear text. I am not for enabling the daemons by default installs.
But I don't think they should be removed.
The clients should definately not be removed, in my opinion, I do not see any insecurity in having an rlogin client installed.
A system will not be much more secure than its admin is capable. Security has always been a compromise.
I believe in security, I appreciate OpenBSD's security code auditing teams, yet OpenBSD's claim "Four years without a remote root security hole in the default install!" does not impress me too much. If the default install is with everything disabled, or configured in some rather restricted way, it is not much of worth to most. People talk all the time about network security, disabling services and daemons, etc. Let us remember the more common type of security problems still, local. Most systems serve users. Local security is just as important, if not more. And not all holes immediately give superuser access to the exploiter, yet they are dangerous. Would it have been "4 years without an exploitable security problem in the OpenBSD code base", this would mean quite more already.
So I think telnet, rlogin, rsh, rexec and ftp should be left in. telnetd, rlogind, rshd, rexecd, and ftpd should also be left in, just disabled by default in inetd, administrators will enable those they need as they know what they are doing.
The code of all those should be audited just like the rest of the distribution. Data being transmitted as plain text is not a security hole in the system. It is known to the admin, just as it is known that passwords can be guessed brute-force.
In an internal academic/corporate network, usually some hosts are trusted, and some users are. Each organization has its security policy, describing how to decide what is trusted. If an host is trusted, the route from it is just as trusted. No encryption will help here. Sometimes rhosts based authentication bypassing is useful.
Encryption won't solve everything. It is a bad illusion for anyone that if the communication is encrypted, it can suddenly be all 100% trusted and safe. A well administered site ran by competent admins and with a good security policy, I would trust much more than a site where ssh and encryption is trusted for everything.
Also, as always, there is a point of interoperability, and compatibility. You cannot switch all your organization, definately not all the environment around it, to different protocols and utilities that easily, and with the Internet attached, it gets even more difficult.
If you think that all utilities/work methods can be secured just by replacing them like this, it isn't so easy.
I am pro advancement, and I think changing things, switching to more secure protocols/systems, is all a good idea, but at its time, as the site's administrators consider it... It cannot be done at once, and should not be done by the maintainers of the distribution.
As for Perl on FreeBSD, I'm very much for it. Most of the BSD systems I use are FreeBSD, then BSDi BSD/OS... Saving a few tenths of megabytes in the distribution, just as simplifying the build and installation process is a good step, Perl is nowhere as standard for a network as the r-tools are, and the system's core scripts/tools shouldn't depend on it. Where it is wanted, install it from the ports tree, or just build it from plain sources...
It might be good idea if the r-tools could be just a backward compatibility part of the ssh stuff... So say, ftp, unless given a specific flag, will by default do sftp, and resort to old style ftp only if that failes, and rsh will be ssh, which will also support the rsh/rlogin/etc. protocols...
All that, though, is just my 2^-2 cent...
How the heck am I supposed to double click on your computer?
The problem when rsh and ftp are removed, is that there is no way to transfer files at wire speed. ssh is too slow for 100Mbit networks, let alone gigabit. Is there any software that solves this problem, perhaps with secure authentication and protection against alteration of the data stream?
Pulling Perl from the base package will limit the flexibility for many of the set up scripts but I can see where the size of Perl has gotten way out of hand. Maybe they should look at mini-perl (the one perl uses to configure its self) might be worth considering.
The R commands need to go away but I'm wondering if the best option is to fix them properly. The idea here is to put together a library (maybe a fork of getops) so that you can take most standard programs that use stdio and make r versions of them by linking to the proper library. This way things like rmt (remote mag tape) and its friends restore and dump would all still work in a modern enviroment. There is no current version of dump or restore that works the way old rmt versions do and most of us still like to do backups from time to time.
One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.
FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.
Let's keep to the facts and look at the numbers.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
All major surveys show that *BSD has steadily declined in market share. *BS is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dlettante dablers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.
Fact: *BSD isdying
While i admit that the r* tools aren`t designed with security in mind, and their use should be discouraged.. there ARE cases where they are very usefull. For instance, i run a network of a large number of unix machines of differing flavours.. and the r* tools are standard on all of them.
So usually i end up using rcp to download files to a new machine from a distribution server, rcp dist@ip:/files/bleh . is much easier than ftping or using scp, and since the access is download-only and anonymous.. i`m not really bothered about someone else sniffing the connection. r* is also much faster an s*, since there is no encryption overhead... downloading large files over a 100mbit switched lan where the fileserver is a p200, is certainly a LOT quicker.
FTP/Telnet DEFINATELY should not be removed, the telnet command has far more uses than connecting to dedicated telnet servers, for instance you can use it to test other text-based protocols like smtp, http and pop3.
FTP also, like rcp.. is very usefull for file distribution.. If you have files you want people to access easily, such as opensource software.. it makes sense to use a low overhead protocol like ftp, rather than an encryption-heavy protocol. Afterall, who is going to bother sniffing your traffic if they can just download the files themselves anyway?
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
That's a really good idea.... by removing routed from the system, the chances of a remote exploit go down significantly.
I'll have something intelligent to add one of these days...