[7722] in Release_7.7_team
Re: flag day for fingerd
daemon@ATHENA.MIT.EDU (Jonathan Reed)
Thu Feb 9 10:24:37 2012
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset=us-ascii
From: Jonathan Reed <jdreed@MIT.EDU>
In-Reply-To: <alpine.GSO.1.10.1202090115000.882@multics.mit.edu>
Date: Thu, 9 Feb 2012 10:24:37 -0500
Cc: release-team@MIT.EDU
Message-Id: <CF2C1622-F96C-470D-A747-E6C837555107@MIT.EDU>
To: Benjamin Kaduk <kaduk@MIT.EDU>
Content-Transfer-Encoding: 8bit
On Feb 9, 2012, at 1:19 AM, Benjamin Kaduk wrote:
> On Tue, 7 Feb 2012, Jonathan Reed wrote:
>
>> Let's plan on cutting off fingerd in the clusters at some point soon. Let's pick March 1 (Thurs) because why not. I would like to accomplish this by simply punting fingerd from the metapackages, and sending mail to debathena-announce saying "If you want to run a fingerd, install the package yourself".
>>
>> People should speak up with objections to this.
>
> Sorry for the delay in responding.
> I wasn't at the meeting where this issue was covered previously, but I was rather under the impression that there was not really a resolution about whether we were okay having unstaffed clusters with no fingerds running.
>
> Geoffrey had come up with the possibility of restricting which IPs can communicate with fingerd via xinetd configuration, which (if it proves fruitful) seems quite reasonable to me as a way to prevent abusive behavior. I personally would feel uncomfortable just turning off fingerd, and would like to pursue this option in more detail.
I've asked bbaren to look into both rate-limiting and IP-restricting fingerd and coming up with a prototype.
Tabled until I hear back from him.
-Jon