On Tuesday, 09/20/2011 at 05:09 EDT, David Boyes <[email protected]> wrote: > > Well, if you have a little knowledge about iptables, you could trigger some > > action when someone tries to connect to some port. > > So by telnet to for example port 48113, and have iptables trigger this and > > start a script that reads from a predefined cms-filename, you have the trigger > > functionality there. > > > > Maybee this is some overkill... :) > > Big problem here: no authentication of originator (telnet doesn't do that), no > way to set the effective uid of the executor (do you want all your users
> executing things as root?) and there's no way to return values to the > originator. Rsh (for all its warts) at least does these 3 things right. Amen. In any peer-peer protocol, there are two important attributes: 1. Authentication 2. Privacy Rsh on an internal z/VM virtual network achieves both. Things like Live Guest Relocation introduces an anomaly into the equation, since a what appears as "internal" one moment may in fact be "remote" at the next. Of course, protocol security discussions rarely deal with common sense, but with Rules Made To Be Followed Without Exception Because My Grandfather Told Me So. Hence the descent into "rsh/rexec madness" and the unblinking acceptance of unsecured telnet. Go figure. (I can't believe that in 2011 secure telnet is not de rigueur.) Alan Altmark Senior Managing z/VM and Linux Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 [email protected] IBM Endicott ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
