[Beowulf] High Performance SSH/SCP

Tim Cutts tjrc at sanger.ac.uk
Thu Feb 14 18:54:24 EST 2008


On 14 Feb 2008, at 7:45 pm, Robert G. Brown wrote:

> What the openssh people don't seem to "get" is that by FORCING  
> people to
> use encryption, they are actually keeping rsh alive and a potential
> security risk for all sorts of people in the cluster business for whom
> performance is more important than security given their networking
> environment and goals.  Otherwise, who would ever install it?

Hear, hear.  The openssh folks aren't alone in this; it's a common  
ailment afflicting authors of "security" software.  They think they  
know better than the sysadmin.  It's for your own good, now take your  
medicine.  Personally, I'm with you - give the sysadmin the choice.   
I've had similar arguments in the past with the author of rssh, a  
restricted shell useful for cvs servers and the like.  He refused to  
add support for allowing the user to change their password, because  
his view was that password authentication is evil and all users should  
be forced to use key authentication at all times.  Oh great, so now I  
have users who ssh in using a private key for authentication over  
which I have no control - I have no idea whether it's held securely,  
whether it has a decent passphrase, or anything.  At least if they  
were using passwords I could periodically run a cracker on the passwd  
file and check their password is sane.  It's a similar scenario.  The  
authors' high and mighty principles don't actually necessarily make my  
systems any more secure at all, quite possibly the reverse.  Quite  
apart from the extra workload it puts on me.  The average scientist  
doesn't really want to have to learn about ssh-agent and all that stuff.

Tim


-- 
 The Wellcome Trust Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE. 
_______________________________________________
Beowulf mailing list, Beowulf at beowulf.org
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf

!DSPAM:47b4d53336552889862676!



More information about the Beowulf mailing list