From owner-freebsd-hackers@FreeBSD.ORG  Mon Jul 18 15:23:50 2005
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
X-Original-To: freebsd-hackers@freebsd.org
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 309C116A41C
	for <freebsd-hackers@freebsd.org>; Mon, 18 Jul 2005 15:23:50 +0000 (GMT)
	(envelope-from joerg@britannica.bec.de)
Received: from hydra.bec.de (www.ostsee-abc.de [62.206.222.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BCEA443D45
	for <freebsd-hackers@freebsd.org>; Mon, 18 Jul 2005 15:23:49 +0000 (GMT)
	(envelope-from joerg@britannica.bec.de)
Received: from britannica.bec.de (unknown [139.30.252.72])
	by hydra.bec.de (Postfix) with ESMTP id D478135717
	for <freebsd-hackers@freebsd.org>;
	Mon, 18 Jul 2005 17:23:47 +0200 (CEST)
Received: by britannica.bec.de (Postfix, from userid 1001)
	id AC0F858FC; Mon, 18 Jul 2005 16:30:22 +0200 (CEST)
Date: Mon, 18 Jul 2005 16:30:22 +0200
From: Joerg Sonnenberger <joerg@britannica.bec.de>
To: freebsd-hackers@freebsd.org
Message-ID: <20050718143022.GA1398@britannica.bec.de>
Mail-Followup-To: freebsd-hackers@freebsd.org
References: <20050716194319.4375451a.vlady@sun-fish.com>
	<200507182055.57651.doconnor@gsoft.com.au>
	<20050718144421.68977452.vlady@sun-fish.com>
	<200507182144.49399.doconnor@gsoft.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200507182144.49399.doconnor@gsoft.com.au>
User-Agent: Mutt/1.5.6i
Subject: Re: Remove Heimdal Kerberos from my FreeBSD
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jul 2005 15:23:50 -0000

On Mon, Jul 18, 2005 at 09:44:35PM +0930, Daniel O'Connor wrote:
> There is always a trade off but it seems most people don't think Heimdal is 
> insecure enough to disable by default. (Has it has any bugs that have been 
> exploitable in an unused configuration recently? I don't believe so).

In the last two years, there have been some nasty problems in Heimdal,
not as bad as MIT krb5 though. This is from memory, I might be wrong.

For the original poster, the default is a trade-off, it has both postive
and negative sides. In DragonFly, we still default to OFF, mostly
because we can't take advantage of it e.g. for smb anyway, since we
don't have NSS. Beside the given example of Active Directory, NFS 4 uses
GSSAPI and Kerberos 5 too. Those are two things a lot of people want to
support of the box.

Joerg