From owner-freebsd-hackers@FreeBSD.ORG Mon Jul 18 15:09:14 2005 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5528816A41C for ; Mon, 18 Jul 2005 15:09:14 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [204.156.12.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id F258D43D46 for ; Mon, 18 Jul 2005 15:09:11 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by cyrus.watson.org (Postfix) with ESMTP id 1845846B9A; Mon, 18 Jul 2005 11:09:11 -0400 (EDT) Date: Mon, 18 Jul 2005 16:09:13 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Vladimir Terziev In-Reply-To: <20050718144421.68977452.vlady@sun-fish.com> Message-ID: <20050718160610.E9430@fledge.watson.org> References: <20050716194319.4375451a.vlady@sun-fish.com> <42DB59F9.80408@cronyx.ru> <20050718113333.4ab7ebb5.vlady@sun-fish.com> <200507182055.57651.doconnor@gsoft.com.au> <20050718144421.68977452.vlady@sun-fish.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: rik@cronyx.ru, dom@goodforbusiness.co.uk, freebsd-hackers@freebsd.org Subject: Re: Remove Heimdal Kerberos from my FreeBSD X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2005 15:09:14 -0000 On Mon, 18 Jul 2005, Vladimir Terziev wrote: > The problem is that third party software is a part of basic software, > which functionality includes authentication and authorization for host > access. A bug in this third party software could become a reason for a > host compromise even the functionality of the third party software in > not used (e.g. bug in the kerberos libs could involve sshd/telnetd > compromise). > > When you really need a kerberos authentication then re-build the > respective software in order to have it. But in that case, you'll be > aware that your access-granting software depends on something other and > you'll be aware to keep this something other up-to-date and bugless. Expectations have changed over the last few years -- support for integrating into directory services, such as Active Directory and/or Kerberos, is now considered a basic expectation for operating systems, and as such is a "built by default" feature. Any time you increase the quantity of code, especially security/network-sensitive code, you increase the opportunity for problems, but where one sits on the spectrum of "enabled by default" functionality has to be a response to user requirements. The direction we've been going in to minimize exposure has been to disable features at run-time, rather than compile-time. I.e., we no longer enable telnetd, ftpd, etc, by default -- they must be explicitly enabled. Robert N M Watson > > Vladimir > > > On Mon, 18 Jul 2005 20:55:57 +0930 > "Daniel O'Connor" wrote: > >> On Monday 18 July 2005 18:03, Vladimir Terziev wrote: >>> your right about useless things, but making basic software to depend on >>> these useless things is a very bad idea. I'm sure, telnet & ssh are the >>> most used applications on any UNIX system, so they must not depend on any >>> third party software by default. If you need kerberized ssh or telnet, then >>> ok -- relink them to use kerberos, but why possible bugs in kerberos should >>> affect ssh & telnet when kerberos is not mandantory for their functioning ? >> >> I think this is slightly disingenuous - what is the actual penalty for linking >> to Kerberos? >> >> It is easy to not use Kerberos if you don't want to, but it's a major pain in >> the ass to recompile ssh/telnet/etc when you do. >> >> -- >> Daniel O'Connor software and network engineer >> for Genesis Software - http://www.gsoft.com.au >> "The nice thing about standards is that there >> are so many of them to choose from." >> -- Andrew Tanenbaum >> GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C >> > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" >