Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 18 Jul 2005 21:44:35 +0930
From:      "Daniel O'Connor" <doconnor@gsoft.com.au>
To:        Vladimir Terziev <vladimir.terziev@sun-fish.com>
Cc:        freebsd-hackers@freebsd.org, dom@goodforbusiness.co.uk, rik@cronyx.ru
Subject:   Re: Remove Heimdal Kerberos from my FreeBSD
Message-ID:  <200507182144.49399.doconnor@gsoft.com.au>
In-Reply-To: <20050718144421.68977452.vlady@sun-fish.com>
References:  <20050716194319.4375451a.vlady@sun-fish.com> <200507182055.57651.doconnor@gsoft.com.au> <20050718144421.68977452.vlady@sun-fish.com>

next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart4331901.KkxNW5LqM0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Monday 18 July 2005 21:14, Vladimir Terziev wrote:
>    The problem is that third party software is a part of basic software,
> which functionality includes authentication and authorization for host
> access. A bug in this third party software could become a reason for a ho=
st
> compromise even the functionality of the third party software in not used
> (e.g. bug in the kerberos libs could involve sshd/telnetd compromise).

I think you can extend this argument to just about any piece of software on=
=20
the system..

>    When you really need a kerberos authentication then re-build the
> respective software in order to have it. But in that case, you'll be aware
> that your access-granting software depends on something other and you'll =
be
> aware to keep this something other up-to-date and bugless.

That is a pretty major inconvenience. It's like saying "Oh well if you want=
 to=20
use NSS you should rebuild things" - you can do it but it's very=20
inconvenient.

There is always a trade off but it seems most people don't think Heimdal is=
=20
insecure enough to disable by default. (Has it has any bugs that have been=
=20
exploitable in an unused configuration recently? I don't believe so).

Personally I'd be more worried about the PAM code.

=2D-=20
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
"The nice thing about standards is that there
are so many of them to choose from."
  -- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C

--nextPart4331901.KkxNW5LqM0
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQBC25055ZPcIHs/zowRAqsPAJwMON0Yc+QooK0Ltt3ESxiK/Qt8CwCeJvfa
cWZm0Wc9lOoqvijXisDF1qg=
=pzhX
-----END PGP SIGNATURE-----

--nextPart4331901.KkxNW5LqM0--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507182144.49399.doconnor>