[ITA] rsh-0.17-3

classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|

[ITA] rsh-0.17-3

Takashi Yano
Hi,

I would like to take over the maintenance of rsh package, which is
currently orphaned. I have already prepared an updated rsh package
as follows.


Change History

---------- rsh-0.17-3 -- 2018 Jul 11 -----------
* Introduced some new patches from fedora
* Added IPv6 support to rexec and rcp

Package Files:

D=http://tyan0.dip.jp/cygwin
${D}/x86_64/release/rsh/rsh-0.17-3.hint
${D}/x86_64/release/rsh/rsh-0.17-3-src.tar.xz
${D}/x86_64/release/rsh/rsh-debuginfo/rsh-debuginfo-0.17-3.tar.xz
${D}/x86_64/release/rsh/rsh-debuginfo/rsh-debuginfo-0.17-3.hint
${D}/x86_64/release/rsh/rsh-0.17-3.tar.xz
${D}/x86_64/release/rsh/rsh-server/rsh-server-0.17-3.tar.xz
${D}/x86_64/release/rsh/rsh-server/rsh-server-0.17-3.hint
${D}/x86/release/rsh/rsh-0.17-3.hint
${D}/x86/release/rsh/rsh-0.17-3-src.tar.xz
${D}/x86/release/rsh/rsh-debuginfo/rsh-debuginfo-0.17-3.tar.xz
${D}/x86/release/rsh/rsh-debuginfo/rsh-debuginfo-0.17-3.hint
${D}/x86/release/rsh/rsh-0.17-3.tar.xz
${D}/x86/release/rsh/rsh-server/rsh-server-0.17-3.tar.xz
${D}/x86/release/rsh/rsh-server/rsh-server-0.17-3.hint

--
Takashi Yano <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [ITA] rsh-0.17-3

ASSI
Takashi Yano writes:
> I would like to take over the maintenance of rsh package, which is
> currently orphaned. I have already prepared an updated rsh package
> as follows.

Actually, we should remove rsh without replacement.


Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptation for Waldorf microQ V2.22R2:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada
Reply | Threaded
Open this post in threaded view
|

Re: [ITA] rsh-0.17-3

Takashi Yano
On Mon, 16 Jul 2018 10:34:48 +0200
Achim Gratz <[hidden email]> wrote:
> Actually, we should remove rsh without replacement.

I agree rlogin/rsh/rexec are outdated. However, most major Linux
and BSD distributions still provide them as a package.

Should not Cygwin follow these as well?

--
Takashi Yano <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [ITA] rsh-0.17-3

ASSI
Takashi Yano writes:
> I agree rlogin/rsh/rexec are outdated. However, most major Linux
> and BSD distributions still provide them as a package.
>
> Should not Cygwin follow these as well?

Even on the UN*X side the r-tools have been deprecated for so long it
doesn't really make sense to use them anymore.  The only sane way to use
them is in fully isolated networks and I haven't seen any of those in
decades.  With Cygwin running on top of Windows there is ahole other set
of issues to deal with and that makes it even more inappropriate to even
offer those tools.  IMHO, deferring to the security lead for Cygwin.


Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptations for Waldorf Q V3.00R3 and Q+ V3.54R2:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada
Reply | Threaded
Open this post in threaded view
|

Re: [ITA] rsh-0.17-3

Corinna Vinschen-2
On Jul 16 11:03, Achim Gratz wrote:

> Takashi Yano writes:
> > I agree rlogin/rsh/rexec are outdated. However, most major Linux
> > and BSD distributions still provide them as a package.
> >
> > Should not Cygwin follow these as well?
>
> Even on the UN*X side the r-tools have been deprecated for so long it
> doesn't really make sense to use them anymore.  The only sane way to use
> them is in fully isolated networks and I haven't seen any of those in
> decades.  With Cygwin running on top of Windows there is ahole other set
> of issues to deal with and that makes it even more inappropriate to even
> offer those tools.  IMHO, deferring to the security lead for Cygwin.
We have a security lead?


Corinna

--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [ITA] rsh-0.17-3

Corinna Vinschen-2
On Jul 16 11:16, Corinna Vinschen wrote:

> On Jul 16 11:03, Achim Gratz wrote:
> > Takashi Yano writes:
> > > I agree rlogin/rsh/rexec are outdated. However, most major Linux
> > > and BSD distributions still provide them as a package.
> > >
> > > Should not Cygwin follow these as well?
> >
> > Even on the UN*X side the r-tools have been deprecated for so long it
> > doesn't really make sense to use them anymore.  The only sane way to use
> > them is in fully isolated networks and I haven't seen any of those in
> > decades.  With Cygwin running on top of Windows there is ahole other set
> > of issues to deal with and that makes it even more inappropriate to even
> > offer those tools.  IMHO, deferring to the security lead for Cygwin.
>
> We have a security lead?
Personally I agree with Takashi, btw.  Linux still provides the old r*
tools including rsh-server.  There may still be legit uses of the tools
in controlled environments.  if we remove all packages which can be used
to shoot yourself in the foot, there's not much left, I guess.

As a compromise, we could continue to provide the client package and
just discontinue the server package, but it's your choice.


Corinna

--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [ITA] rsh-0.17-3

ASSI
In reply to this post by Corinna Vinschen-2
Corinna Vinschen writes:
> We have a security lead?

I thought Yaakov was holding that title.  :-)


Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Wavetables for the Terratec KOMPLEXER:
http://Synth.Stromeko.net/Downloads.html#KomplexerWaves
Reply | Threaded
Open this post in threaded view
|

Re: [ITA] rsh-0.17-3

Corinna Vinschen-2
On Jul 16 12:06, Achim Gratz wrote:
> Corinna Vinschen writes:
> > We have a security lead?
>
> I thought Yaakov was holding that title.  :-)

Excellent, as long as it's not me ;)


Corinna

--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [ITA] rsh-0.17-3

cyg Simple
In reply to this post by Corinna Vinschen-2
On 7/16/2018 5:32 AM, Corinna Vinschen wrote:

> On Jul 16 11:16, Corinna Vinschen wrote:
>> On Jul 16 11:03, Achim Gratz wrote:
>>> Takashi Yano writes:
>>>> I agree rlogin/rsh/rexec are outdated. However, most major Linux
>>>> and BSD distributions still provide them as a package.
>>>>
>>>> Should not Cygwin follow these as well?
>>>
>>> Even on the UN*X side the r-tools have been deprecated for so long it
>>> doesn't really make sense to use them anymore.  The only sane way to use
>>> them is in fully isolated networks and I haven't seen any of those in
>>> decades.  With Cygwin running on top of Windows there is ahole other set
>>> of issues to deal with and that makes it even more inappropriate to even
>>> offer those tools.  IMHO, deferring to the security lead for Cygwin.
>>
>> We have a security lead?
>
> Personally I agree with Takashi, btw.  Linux still provides the old r*
> tools including rsh-server.  There may still be legit uses of the tools
> in controlled environments.  if we remove all packages which can be used
> to shoot yourself in the foot, there's not much left, I guess.
>

As security in businesses tend to require ssh over rsh the only use of
rsh I've seen recently is for legacy applications that used rsh and
currently have no maintenance.  Does Cygwin have any of those?  I think
it would be a less than 1% chance.

> As a compromise, we could continue to provide the client package and
> just discontinue the server package, but it's your choice.
>

What use would there be even for the client?  Even in my home mode
connecting to BlueHost or any other such service I need ssh to connect
to my server.

--
cyg Simple
Reply | Threaded
Open this post in threaded view
|

Re: [ITA] rsh-0.17-3

Stephen John Smoogen
On 16 July 2018 at 09:54, cyg Simple <[hidden email]> wrote:

> On 7/16/2018 5:32 AM, Corinna Vinschen wrote:
>> On Jul 16 11:16, Corinna Vinschen wrote:
>>> On Jul 16 11:03, Achim Gratz wrote:
>>>> Takashi Yano writes:
>>>>> I agree rlogin/rsh/rexec are outdated. However, most major Linux
>>>>> and BSD distributions still provide them as a package.
>>>>>
>>>>> Should not Cygwin follow these as well?
>>>>
>>>> Even on the UN*X side the r-tools have been deprecated for so long it
>>>> doesn't really make sense to use them anymore.  The only sane way to use
>>>> them is in fully isolated networks and I haven't seen any of those in
>>>> decades.  With Cygwin running on top of Windows there is ahole other set
>>>> of issues to deal with and that makes it even more inappropriate to even
>>>> offer those tools.  IMHO, deferring to the security lead for Cygwin.
>>>
>>> We have a security lead?
>>
>> Personally I agree with Takashi, btw.  Linux still provides the old r*
>> tools including rsh-server.  There may still be legit uses of the tools
>> in controlled environments.  if we remove all packages which can be used
>> to shoot yourself in the foot, there's not much left, I guess.
>>
>
> As security in businesses tend to require ssh over rsh the only use of
> rsh I've seen recently is for legacy applications that used rsh and
> currently have no maintenance.  Does Cygwin have any of those?  I think
> it would be a less than 1% chance.
>
>> As a compromise, we could continue to provide the client package and
>> just discontinue the server package, but it's your choice.
>>
>
> What use would there be even for the client?  Even in my home mode
> connecting to BlueHost or any other such service I need ssh to connect
> to my server.
>

Most of the rsh usage is going to be legacy hardware and systems which
various places still have in good numbers. Various industrial and lab
components might have been built in 1995 and is slower than your
iphone but the replacement costs tens or hundreds of millions of
dollars... (and still uses rsh for backwards compatibility). Payroll
systems in other places use rsh and rcp and cost large amounts to
'upgrade'. The people running these don't show up mailing lists
because they may not even know that the system uses rsh/telnet or some
other obscure thing.. they just run a script on a Windows desktop that
someone wrote years ago. They only show up when stuff stops working.


> --
> cyg Simple



--
Stephen J Smoogen.
Reply | Threaded
Open this post in threaded view
|

Re: [ITA] rsh-0.17-3

cyg Simple
On 7/16/2018 10:02 AM, Stephen John Smoogen wrote:

>
> Most of the rsh usage is going to be legacy hardware and systems which
> various places still have in good numbers. Various industrial and lab
> components might have been built in 1995 and is slower than your
> iphone but the replacement costs tens or hundreds of millions of
> dollars... (and still uses rsh for backwards compatibility). Payroll
> systems in other places use rsh and rcp and cost large amounts to
> 'upgrade'. The people running these don't show up mailing lists
> because they may not even know that the system uses rsh/telnet or some
> other obscure thing.. they just run a script on a Windows desktop that
> someone wrote years ago. They only show up when stuff stops working.
>

But are those scripts Cygwin?  I doubt they are.  Do you have proof of any?

--
cyg Simple
Reply | Threaded
Open this post in threaded view
|

Re: [ITA] rsh-0.17-3

Stephen John Smoogen
On 16 July 2018 at 10:22, cyg Simple <[hidden email]> wrote:

> On 7/16/2018 10:02 AM, Stephen John Smoogen wrote:
>
>>
>> Most of the rsh usage is going to be legacy hardware and systems which
>> various places still have in good numbers. Various industrial and lab
>> components might have been built in 1995 and is slower than your
>> iphone but the replacement costs tens or hundreds of millions of
>> dollars... (and still uses rsh for backwards compatibility). Payroll
>> systems in other places use rsh and rcp and cost large amounts to
>> 'upgrade'. The people running these don't show up mailing lists
>> because they may not even know that the system uses rsh/telnet or some
>> other obscure thing.. they just run a script on a Windows desktop that
>> someone wrote years ago. They only show up when stuff stops working.
>>
>
> But are those scripts Cygwin?  I doubt they are.  Do you have proof of any?
>

I don't have any recent proof. Most of mine is 6-8 years old so I
can't say if they are still in production. I am extrapolating of what
people ask on IRC and mailing lists at times and going by experience
of where that software would have been used and why it takes forever
to get rid of it. [I don't like rsh/rlogin/rcp and would prefer it was
gone. I just have found that fighting that battle has a very very long
tail of "oh we still use that... yeah we are running a RSX11
controller now on an ARM chip but its embedded software only talks rsh
so lets put an SSH proxy on this windows box and have it rsh to it." ]

I also don't have any recent proof that 90-95% of the software in the
Cygwin distribution is used anywhere. I just have hearsay that people
use X and various network servers on it..  so if my proof is needed to
keep stuff in.. I would expect a lot smaller distribution soon.


> --
> cyg Simple



--
Stephen J Smoogen.
Reply | Threaded
Open this post in threaded view
|

Re: [ITA] rsh-0.17-3

Corinna Vinschen-2
On Jul 16 11:09, Stephen John Smoogen wrote:

> On 16 July 2018 at 10:22, cyg Simple <[hidden email]> wrote:
> > On 7/16/2018 10:02 AM, Stephen John Smoogen wrote:
> >
> >>
> >> Most of the rsh usage is going to be legacy hardware and systems which
> >> various places still have in good numbers. Various industrial and lab
> >> components might have been built in 1995 and is slower than your
> >> iphone but the replacement costs tens or hundreds of millions of
> >> dollars... (and still uses rsh for backwards compatibility). Payroll
> >> systems in other places use rsh and rcp and cost large amounts to
> >> 'upgrade'. The people running these don't show up mailing lists
> >> because they may not even know that the system uses rsh/telnet or some
> >> other obscure thing.. they just run a script on a Windows desktop that
> >> someone wrote years ago. They only show up when stuff stops working.
> >>
> >
> > But are those scripts Cygwin?  I doubt they are.  Do you have proof of any?
> >
>
> I don't have any recent proof. Most of mine is 6-8 years old so I
> can't say if they are still in production. I am extrapolating of what
> people ask on IRC and mailing lists at times and going by experience
> of where that software would have been used and why it takes forever
> to get rid of it. [I don't like rsh/rlogin/rcp and would prefer it was
> gone. I just have found that fighting that battle has a very very long
> tail of "oh we still use that... yeah we are running a RSX11
> controller now on an ARM chip but its embedded software only talks rsh
> so lets put an SSH proxy on this windows box and have it rsh to it." ]
>
> I also don't have any recent proof that 90-95% of the software in the
> Cygwin distribution is used anywhere. I just have hearsay that people
> use X and various network servers on it..  so if my proof is needed to
> keep stuff in.. I would expect a lot smaller distribution soon.
... but we could probably fit the entire distro on a CD again ;)


Corinna

--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [ITA] rsh-0.17-3

ASSI
In reply to this post by Corinna Vinschen-2
Corinna Vinschen writes:
> Personally I agree with Takashi, btw.  Linux still provides the old r*
> tools including rsh-server.  There may still be legit uses of the tools
> in controlled environments.  if we remove all packages which can be used
> to shoot yourself in the foot, there's not much left, I guess.

I would normally agree, but in this particular case I've never seen an
environment controlled enough to allow this safely and certainly not
anywhere near anything running Windows.  I'm not saying it isn't
possible or it doesn't exist, it's just that setting it up is going to
take more work than using SSH.  If the real reason is legacy equipment
(I actually have to deal with that, just not with rsh specifically),
then I'd rather put an access relay in front of it than compromise my
entire network.  This stuff usually has a bunch of other quirks/problems
that you don't want to expose.

> As a compromise, we could continue to provide the client package and
> just discontinue the server package, but it's your choice.

You'd still send all sensitive information over the network.

I've just checked and openSUSE no longer offers the netkit tools.  There
are packages for mrsh (using munge authentication) and compat packages
providing rsh/rcp and the respective daemons.

Debian optionally replaces the rsh-server with rsh-redone-server and
rsh-client with openssh-client (i.e. these provide some or all
functionality of the corresponding netkit packages).


Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Wavetables for the Terratec KOMPLEXER:
http://Synth.Stromeko.net/Downloads.html#KomplexerWaves
Reply | Threaded
Open this post in threaded view
|

Re: [ITA] rsh-0.17-3

Takashi Yano
In reply to this post by cyg Simple
On Mon, 16 Jul 2018 09:54:02 -0400
cyg Simple wrote:
> On 7/16/2018 5:32 AM, Corinna Vinschen wrote:
> > As a compromise, we could continue to provide the client package and
> > just discontinue the server package, but it's your choice.
>
> What use would there be even for the client?  Even in my home mode
> connecting to BlueHost or any other such service I need ssh to connect
> to my server.

The existence of the rsh package itself does not pose a vulnerability
to cygwin. People who do not need rsh package do not have to install it.

Should not it leaves on users to decide whether to install or not?
I think that it is better for users to have a choice.

--
Takashi Yano <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [ITA] rsh-0.17-3

cyg Simple
On 7/16/2018 12:06 PM, Takashi Yano wrote:

> On Mon, 16 Jul 2018 09:54:02 -0400
> cyg Simple wrote:
>> On 7/16/2018 5:32 AM, Corinna Vinschen wrote:
>>> As a compromise, we could continue to provide the client package and
>>> just discontinue the server package, but it's your choice.
>>
>> What use would there be even for the client?  Even in my home mode
>> connecting to BlueHost or any other such service I need ssh to connect
>> to my server.
>
> The existence of the rsh package itself does not pose a vulnerability
> to cygwin. People who do not need rsh package do not have to install it.
>
> Should not it leaves on users to decide whether to install or not?
> I think that it is better for users to have a choice.
>

Not when the number of users is less than the requirements to keep the
resource.  You package it, upload it to Cygwin servers and then it is
copied to many servers as a mirror for it to sit and not be used.  It
doesn't sit well for Cygwin to waste such resources for software
technology that has been dying for decades.  Remove it and let the
masses change their habits.  I know it's a pain as I've experienced the
removal of rsh access when I was working but changes were made and we
adapted to the change.

--
cyg Simple
Reply | Threaded
Open this post in threaded view
|

Re: [ITA] rsh-0.17-3

Brian Inglis
In reply to this post by cyg Simple
On 2018-07-16 08:22, cyg Simple wrote:

> On 7/16/2018 10:02 AM, Stephen John Smoogen wrote:
>> Most of the rsh usage is going to be legacy hardware and systems which
>> various places still have in good numbers. Various industrial and lab
>> components might have been built in 1995 and is slower than your
>> iphone but the replacement costs tens or hundreds of millions of
>> dollars... (and still uses rsh for backwards compatibility). Payroll
>> systems in other places use rsh and rcp and cost large amounts to
>> 'upgrade'. The people running these don't show up mailing lists
>> because they may not even know that the system uses rsh/telnet or some
>> other obscure thing.. they just run a script on a Windows desktop that
>> someone wrote years ago. They only show up when stuff stops working.
> But are those scripts Cygwin?  I doubt they are.  Do you have proof of any?

More likely to be command scripts and NT/XP rcp/rexec/rsh utilities which I
wrote and used in NT/XP days before OpenSSH.
It's more likely those would be replaced in legacy systems with standalone
MinGW/native versions than a suite requiring Cygwin.
As Corinna says that's no reason not to let people shoot themselves in the foot.

--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
Reply | Threaded
Open this post in threaded view
|

Re: [ITA] rsh-0.17-3

Corinna Vinschen-2
In reply to this post by Takashi Yano
On Jul 17 01:06, Takashi Yano wrote:

> On Mon, 16 Jul 2018 09:54:02 -0400
> cyg Simple wrote:
> > On 7/16/2018 5:32 AM, Corinna Vinschen wrote:
> > > As a compromise, we could continue to provide the client package and
> > > just discontinue the server package, but it's your choice.
> >
> > What use would there be even for the client?  Even in my home mode
> > connecting to BlueHost or any other such service I need ssh to connect
> > to my server.
>
> The existence of the rsh package itself does not pose a vulnerability
> to cygwin. People who do not need rsh package do not have to install it.
>
> Should not it leaves on users to decide whether to install or not?
> I think that it is better for users to have a choice.
I agree.


Corinna

--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [ITA] rsh-0.17-3

Corinna Vinschen-2
In reply to this post by ASSI
On Jul 16 17:45, Achim Gratz wrote:

> Corinna Vinschen writes:
> > Personally I agree with Takashi, btw.  Linux still provides the old r*
> > tools including rsh-server.  There may still be legit uses of the tools
> > in controlled environments.  if we remove all packages which can be used
> > to shoot yourself in the foot, there's not much left, I guess.
>
> I would normally agree, but in this particular case I've never seen an
> environment controlled enough to allow this safely and certainly not
> anywhere near anything running Windows.  I'm not saying it isn't
> possible or it doesn't exist, it's just that setting it up is going to
> take more work than using SSH.  If the real reason is legacy equipment
> (I actually have to deal with that, just not with rsh specifically),
> then I'd rather put an access relay in front of it than compromise my
> entire network.  This stuff usually has a bunch of other quirks/problems
> that you don't want to expose.
>
> > As a compromise, we could continue to provide the client package and
> > just discontinue the server package, but it's your choice.
>
> You'd still send all sensitive information over the network.
>
> I've just checked and openSUSE no longer offers the netkit tools.  There
> are packages for mrsh (using munge authentication) and compat packages
> providing rsh/rcp and the respective daemons.
>
> Debian optionally replaces the rsh-server with rsh-redone-server and
> rsh-client with openssh-client (i.e. these provide some or all
> functionality of the corresponding netkit packages).
Fedora just packs them:

  rsh-0.17-86.fc28.x86_64
  rsh-server-0.17-86.fc28.x86_64


Corinna

--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [ITA] rsh-0.17-3

Takashi Yano
In reply to this post by Corinna Vinschen-2
On Tue, 17 Jul 2018 10:24:43 +0200
Corinna Vinschen wrote:
> On Jul 17 01:06, Takashi Yano wrote:
> > Should not it leaves on users to decide whether to install or not?
> > I think that it is better for users to have a choice.
>
> I agree.

Thank you for your support.

Since security concerns have been expressed from many people, I would
like to add the following note to the package DESCRIPTION and README:

                           *** CAUTION ***
For security reasons, the use of r-commands is completely discouraged.
Instead, you should seriously consider use of the ssh related tools.
This package is mainly for compatibility.


even though README already says:

---- from here -----
Note that these clients are security nightmares, dating from a time when
the internet was a more innocent place. Not only do rlogin, rsh, and rcp
transmit your username and password unencrypted, but rexec uses .netrc-
style authentication, where your username and password are stored,
unencrypted, in a file in your home directory on every client machine,
and transmits it unencrypted to the server.

It is NOT recommended that you install or use ANY of these utilities
unless you have a VERY good reason.  All of the r* clients may be
replaced by the cryptographically secure ssh client from the cygwin
'openssh' package.

So why is this package present?  Because as insecure and flawed as they
are, the r* tools, servers, and protocols are still in wide use, and
their conspicuous absence from the cygwin distribution would be viewed
as a flaw, not a feature.
----- to here -----

--
Takashi Yano <[hidden email]>
12