>Is your hesitance to use these utilities simply because they are as >insecure as the standard r* utils, or are they particularly more insecure >in some way? I thought someone had mentioned a while back that they >hadn't been maintained, and were probably riddled with buffer overflows >(like the ftpd-glob thing last year).
It's not obvious until you look at them closely, but they pass over the secret information stored in every token (the session key) in the clear so an eavsdropper could get all of the information they would need to construct a valid token (which would only be good for the lifetime of the token, but still ...) That's the "insecure" part about them. Mind you, we used to use them until we switched over to V5, but I understood the risks and was willing to take them as part of the migration process (it wasn't worse than anything else we were doing at the time). --Ken _______________________________________________ OpenAFS-devel mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-devel
