From owner-freebsd-hackers@FreeBSD.ORG Mon Jul 18 11:44:24 2005 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C029616A41C for ; Mon, 18 Jul 2005 11:44:24 +0000 (GMT) (envelope-from vladimir.terziev@sun-fish.com) Received: from blah.sun-fish.com (blah.sun-fish.com [62.176.125.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id B99D943D46 for ; Mon, 18 Jul 2005 11:44:23 +0000 (GMT) (envelope-from vladimir.terziev@sun-fish.com) Received: from blah.sun-fish.com (localhost [127.0.0.1]) by blah.sun-fish.com (Postfix) with ESMTP id 084813417A; Mon, 18 Jul 2005 13:44:22 +0200 (CEST) Received: from sun-fish.com (fs.cmotd.com [192.168.3.253]) by blah.sun-fish.com (Postfix) with ESMTP id C597F34169; Mon, 18 Jul 2005 13:44:21 +0200 (CEST) Received: from sun-fish.com (localhost.cmotd.com [127.0.0.1]) by sun-fish.com (Postfix) with ESMTP id 47D3338406; Mon, 18 Jul 2005 13:44:21 +0200 (CEST) Received: from daemon.cmotd.com (daemon.cmotd.com [192.168.3.104]) by sun-fish.com (Postfix) with SMTP id 0FB9038404; Mon, 18 Jul 2005 13:44:21 +0200 (CEST) Date: Mon, 18 Jul 2005 14:44:21 +0300 From: Vladimir Terziev To: "Daniel O'Connor" Message-Id: <20050718144421.68977452.vlady@sun-fish.com> In-Reply-To: <200507182055.57651.doconnor@gsoft.com.au> References: <20050716194319.4375451a.vlady@sun-fish.com> <42DB59F9.80408@cronyx.ru> <20050718113333.4ab7ebb5.vlady@sun-fish.com> <200507182055.57651.doconnor@gsoft.com.au> Organization: SunFish Ltd., Sofia X-Mailer: Sylpheed version 1.9.12 (GTK+ 2.4.0; i386-unknown-freebsd4.10) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-AV-Checked: ClamAV X-AV-Checked: ClamAV SF1 Cc: freebsd-hackers@freebsd.org, dom@goodforbusiness.co.uk, rik@cronyx.ru Subject: Re: Remove Heimdal Kerberos from my FreeBSD X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2005 11:44:24 -0000 The problem is that third party software is a part of basic software, which functionality includes authentication and authorization for host access. A bug in this third party software could become a reason for a host compromise even the functionality of the third party software in not used (e.g. bug in the kerberos libs could involve sshd/telnetd compromise). When you really need a kerberos authentication then re-build the respective software in order to have it. But in that case, you'll be aware that your access-granting software depends on something other and you'll be aware to keep this something other up-to-date and bugless. Vladimir On Mon, 18 Jul 2005 20:55:57 +0930 "Daniel O'Connor" wrote: > On Monday 18 July 2005 18:03, Vladimir Terziev wrote: > > your right about useless things, but making basic software to depend on > > these useless things is a very bad idea. I'm sure, telnet & ssh are the > > most used applications on any UNIX system, so they must not depend on any > > third party software by default. If you need kerberized ssh or telnet, then > > ok -- relink them to use kerberos, but why possible bugs in kerberos should > > affect ssh & telnet when kerberos is not mandantory for their functioning ? > > I think this is slightly disingenuous - what is the actual penalty for linking > to Kerberos? > > It is easy to not use Kerberos if you don't want to, but it's a major pain in > the ass to recompile ssh/telnet/etc when you do. > > -- > Daniel O'Connor software and network engineer > for Genesis Software - http://www.gsoft.com.au > "The nice thing about standards is that there > are so many of them to choose from." > -- Andrew Tanenbaum > GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C >