From owner-freebsd-hackers@FreeBSD.ORG Mon Jul 18 12:15:31 2005 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E3C4216A45D for ; Mon, 18 Jul 2005 12:15:30 +0000 (GMT) (envelope-from doconnor@gsoft.com.au) Received: from cain.gsoft.com.au (cain.gsoft.com.au [203.31.81.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2EC5C43D48 for ; Mon, 18 Jul 2005 12:15:28 +0000 (GMT) (envelope-from doconnor@gsoft.com.au) Received: from inchoate.gsoft.com.au (ppp246-29.lns2.adl2.internode.on.net [203.122.246.29]) (authenticated bits=0) by cain.gsoft.com.au (8.13.4/8.13.4) with ESMTP id j6ICF2Qe074278 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Mon, 18 Jul 2005 21:45:11 +0930 (CST) (envelope-from doconnor@gsoft.com.au) From: "Daniel O'Connor" To: Vladimir Terziev Date: Mon, 18 Jul 2005 21:44:35 +0930 User-Agent: KMail/1.8.1 References: <20050716194319.4375451a.vlady@sun-fish.com> <200507182055.57651.doconnor@gsoft.com.au> <20050718144421.68977452.vlady@sun-fish.com> In-Reply-To: <20050718144421.68977452.vlady@sun-fish.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4331901.KkxNW5LqM0"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200507182144.49399.doconnor@gsoft.com.au> X-Spam-Score: 0.05 () FORGED_RCVD_HELO X-Scanned-By: MIMEDefang 2.51 on 203.31.81.10 Cc: freebsd-hackers@freebsd.org, dom@goodforbusiness.co.uk, rik@cronyx.ru Subject: Re: Remove Heimdal Kerberos from my FreeBSD X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2005 12:15:31 -0000 --nextPart4331901.KkxNW5LqM0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 18 July 2005 21:14, Vladimir Terziev wrote: > The problem is that third party software is a part of basic software, > which functionality includes authentication and authorization for host > access. A bug in this third party software could become a reason for a ho= st > compromise even the functionality of the third party software in not used > (e.g. bug in the kerberos libs could involve sshd/telnetd compromise). I think you can extend this argument to just about any piece of software on= =20 the system.. > When you really need a kerberos authentication then re-build the > respective software in order to have it. But in that case, you'll be aware > that your access-granting software depends on something other and you'll = be > aware to keep this something other up-to-date and bugless. That is a pretty major inconvenience. It's like saying "Oh well if you want= to=20 use NSS you should rebuild things" - you can do it but it's very=20 inconvenient. There is always a trade off but it seems most people don't think Heimdal is= =20 insecure enough to disable by default. (Has it has any bugs that have been= =20 exploitable in an unused configuration recently? I don't believe so). Personally I'd be more worried about the PAM code. =2D-=20 Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C --nextPart4331901.KkxNW5LqM0 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBC25055ZPcIHs/zowRAqsPAJwMON0Yc+QooK0Ltt3ESxiK/Qt8CwCeJvfa cWZm0Wc9lOoqvijXisDF1qg= =pzhX -----END PGP SIGNATURE----- --nextPart4331901.KkxNW5LqM0--