Date: Mon, 18 Jul 2005 14:44:21 +0300 From: Vladimir Terziev <vladimir.terziev@sun-fish.com> To: "Daniel O'Connor" <doconnor@gsoft.com.au> Cc: freebsd-hackers@freebsd.org, dom@goodforbusiness.co.uk, rik@cronyx.ru Subject: Re: Remove Heimdal Kerberos from my FreeBSD Message-ID: <20050718144421.68977452.vlady@sun-fish.com> In-Reply-To: <200507182055.57651.doconnor@gsoft.com.au> References: <20050716194319.4375451a.vlady@sun-fish.com> <42DB59F9.80408@cronyx.ru> <20050718113333.4ab7ebb5.vlady@sun-fish.com> <200507182055.57651.doconnor@gsoft.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
The problem is that third party software is a part of basic software, which functionality includes authentication and authorization for host access. A bug in this third party software could become a reason for a host compromise even the functionality of the third party software in not used (e.g. bug in the kerberos libs could involve sshd/telnetd compromise). When you really need a kerberos authentication then re-build the respective software in order to have it. But in that case, you'll be aware that your access-granting software depends on something other and you'll be aware to keep this something other up-to-date and bugless. Vladimir On Mon, 18 Jul 2005 20:55:57 +0930 "Daniel O'Connor" <doconnor@gsoft.com.au> wrote: > On Monday 18 July 2005 18:03, Vladimir Terziev wrote: > > your right about useless things, but making basic software to depend on > > these useless things is a very bad idea. I'm sure, telnet & ssh are the > > most used applications on any UNIX system, so they must not depend on any > > third party software by default. If you need kerberized ssh or telnet, then > > ok -- relink them to use kerberos, but why possible bugs in kerberos should > > affect ssh & telnet when kerberos is not mandantory for their functioning ? > > I think this is slightly disingenuous - what is the actual penalty for linking > to Kerberos? > > It is easy to not use Kerberos if you don't want to, but it's a major pain in > the ass to recompile ssh/telnet/etc when you do. > > -- > Daniel O'Connor software and network engineer > for Genesis Software - http://www.gsoft.com.au > "The nice thing about standards is that there > are so many of them to choose from." > -- Andrew Tanenbaum > GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050718144421.68977452.vlady>