[RFC] Add CrackLib to Chapter 6 LFS

Matthew Burgess matthew at linuxfromscratch.org
Fri Aug 5 04:21:47 PDT 2005


Kev Buckley wrote:

> If LFS is going to be *secure*, then personally I hope you guys get
> rid of most of the inetutils clients

Well, we already remove the servers, so by removing the clients we may 
as well just remove the entire package :)  Seriously though, secure 
versions for most of those clients are available:

ftp (FHS-3.4.3) -> sftp
ping (FHS-3.4.3) -> ???
rcp -> scp
rlogin -> ???
rsh -> ssh
talk (POSIX) -> ???
telnet -> ssh
tftp (FHS-3.4.3) -> sftp

As you can see, the FHS only stipulates that ftp and tftp should be on a 
system when "restoration of a system is planned through the network". 
'ping' is a tough one though.  The FHS says it should be in '/bin' "if 
the corresponding subsystem is installed".  I assume in this example, 
the corresponding subsystem would be networking, right?  The LSB doesn't 
mention any of the binaries in 
http://refspecs.freestandards.org/LSB_3.0.0/LSB-Core-generic/LSB-Core-generic/command.html#TBL-CMDS 
either.  The POSIX SuSV3 standard lists 'talk' as optional, and doesn't 
mention the other utilities at all.

Whilst researching this was quite enlightening, I think that such system 
hardening really does fall into "your distro, your rules".  Clients such 
as ftp and telnet are still largely useful, and therefore I think it 
should be up to each sysadmin to determine whether they definitely do 
not require the functionality they provide.

Regards,

Matt.



More information about the lfs-dev mailing list