At 08:14 26-11-02 +0800, John Summerfield wrote:
If you prefer security, remove those packages and use opnessh instead. ssh provides the functions of rsh with (at least) equal convenience and much better security.
Generally speaking this is obviously true, but depending on your environment things may be slightly different. The most obvious problem with rsh and friends is that the password is sent as readable plain text. This is probably not something you want to do on a network where people can sniff the traffic, but it may be good enough on a virtual network between two Linux guests where z/VM decides who can see the traffic on the network.
Nor do I know a reason to prefer rexec over ssh.
Assuming you have an ssh client on the platform where you want to issue the command... Things like 'rexec' are very easy to code in any environment and can provide an interesting solution for people who need to issue Linux commmands from z/OS jobs or z/VM userids. With tcpwrappers and/or netfilter you can limit access to those facilities if you need. I believe understanding security for your system is more than running standard shell scripts to hack config files. We see customers insist restricting root access to the /dev/vc[1-6] devices (though we don't have those on S/390). Or they insist to have a /etc/ftpusers (even when we don't run ftpd). Standards only work when the systems are similar enough. Enforcing the wrong standards does not always hurt, but it does not always do the job either. Another reason to prefer rexec over ssh is the cost of encryption. The FAQ tells you not to worry about cost of encryption because the CPU is fast enough to keep up with the network. This may be true on Intel with Fast Ethernet. But it is not true on a z900 with Guest LAN where unused CPU cycles can be used by others. If you try this with a lot of data you will see that 3DES will slow you down with 1-2 orders of magnitude while burning an entire CPU at either side. Sure, if it is necessary it must be done (but a less expensive encryption could help you a factor of 5) but if you have your own Private Virtual Network then 'rcp' runs another 10 times as fast. Rob
