From owner-freebsd-hackers@FreeBSD.ORG Mon Jul 18 15:23:50 2005 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 309C116A41C for ; Mon, 18 Jul 2005 15:23:50 +0000 (GMT) (envelope-from joerg@britannica.bec.de) Received: from hydra.bec.de (www.ostsee-abc.de [62.206.222.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id BCEA443D45 for ; Mon, 18 Jul 2005 15:23:49 +0000 (GMT) (envelope-from joerg@britannica.bec.de) Received: from britannica.bec.de (unknown [139.30.252.72]) by hydra.bec.de (Postfix) with ESMTP id D478135717 for ; Mon, 18 Jul 2005 17:23:47 +0200 (CEST) Received: by britannica.bec.de (Postfix, from userid 1001) id AC0F858FC; Mon, 18 Jul 2005 16:30:22 +0200 (CEST) Date: Mon, 18 Jul 2005 16:30:22 +0200 From: Joerg Sonnenberger To: freebsd-hackers@freebsd.org Message-ID: <20050718143022.GA1398@britannica.bec.de> Mail-Followup-To: freebsd-hackers@freebsd.org References: <20050716194319.4375451a.vlady@sun-fish.com> <200507182055.57651.doconnor@gsoft.com.au> <20050718144421.68977452.vlady@sun-fish.com> <200507182144.49399.doconnor@gsoft.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200507182144.49399.doconnor@gsoft.com.au> User-Agent: Mutt/1.5.6i Subject: Re: Remove Heimdal Kerberos from my FreeBSD X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2005 15:23:50 -0000 On Mon, Jul 18, 2005 at 09:44:35PM +0930, Daniel O'Connor wrote: > There is always a trade off but it seems most people don't think Heimdal is > insecure enough to disable by default. (Has it has any bugs that have been > exploitable in an unused configuration recently? I don't believe so). In the last two years, there have been some nasty problems in Heimdal, not as bad as MIT krb5 though. This is from memory, I might be wrong. For the original poster, the default is a trade-off, it has both postive and negative sides. In DragonFly, we still default to OFF, mostly because we can't take advantage of it e.g. for smb anyway, since we don't have NSS. Beside the given example of Active Directory, NFS 4 uses GSSAPI and Kerberos 5 too. Those are two things a lot of people want to support of the box. Joerg