Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 18 Jul 2005 16:09:13 +0100 (BST)
From:      Robert Watson <rwatson@FreeBSD.org>
To:        Vladimir Terziev <vladimir.terziev@sun-fish.com>
Cc:        rik@cronyx.ru, dom@goodforbusiness.co.uk, freebsd-hackers@freebsd.org
Subject:   Re: Remove Heimdal Kerberos from my FreeBSD
Message-ID:  <20050718160610.E9430@fledge.watson.org>
In-Reply-To: <20050718144421.68977452.vlady@sun-fish.com>
References:  <20050716194319.4375451a.vlady@sun-fish.com> <42DB59F9.80408@cronyx.ru> <20050718113333.4ab7ebb5.vlady@sun-fish.com> <200507182055.57651.doconnor@gsoft.com.au> <20050718144421.68977452.vlady@sun-fish.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 18 Jul 2005, Vladimir Terziev wrote:

>   The problem is that third party software is a part of basic software, 
> which functionality includes authentication and authorization for host 
> access. A bug in this third party software could become a reason for a 
> host compromise even the functionality of the third party software in 
> not used (e.g. bug in the kerberos libs could involve sshd/telnetd 
> compromise).
>
>   When you really need a kerberos authentication then re-build the 
> respective software in order to have it. But in that case, you'll be 
> aware that your access-granting software depends on something other and 
> you'll be aware to keep this something other up-to-date and bugless.

Expectations have changed over the last few years -- support for 
integrating into directory services, such as Active Directory and/or 
Kerberos, is now considered a basic expectation for operating systems, and 
as such is a "built by default" feature.

Any time you increase the quantity of code, especially 
security/network-sensitive code, you increase the opportunity for 
problems, but where one sits on the spectrum of "enabled by default" 
functionality has to be a response to user requirements. The direction 
we've been going in to minimize exposure has been to disable features at 
run-time, rather than compile-time.  I.e., we no longer enable telnetd, 
ftpd, etc, by default -- they must be explicitly enabled.

Robert N M Watson

>
> 	Vladimir
>
>
> On Mon, 18 Jul 2005 20:55:57 +0930
> "Daniel O'Connor" <doconnor@gsoft.com.au> wrote:
>
>> On Monday 18 July 2005 18:03, Vladimir Terziev wrote:
>>>    your right about useless things, but making basic software to depend on
>>> these useless things is a very bad idea. I'm sure, telnet & ssh are the
>>> most used applications on any UNIX system, so they must not depend on any
>>> third party software by default. If you need kerberized ssh or telnet, then
>>> ok -- relink them to use kerberos, but why possible bugs in kerberos should
>>> affect ssh & telnet when kerberos is not mandantory for their functioning ?
>>
>> I think this is slightly disingenuous - what is the actual penalty for linking
>> to Kerberos?
>>
>> It is easy to not use Kerberos if you don't want to, but it's a major pain in
>> the ass to recompile ssh/telnet/etc when you do.
>>
>> --
>> Daniel O'Connor software and network engineer
>> for Genesis Software - http://www.gsoft.com.au
>> "The nice thing about standards is that there
>> are so many of them to choose from."
>>   -- Andrew Tanenbaum
>> GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
>>
> _______________________________________________
> freebsd-hackers@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050718160610.E9430>