Date: Mon, 18 Jul 2005 21:44:35 +0930 From: "Daniel O'Connor" <doconnor@gsoft.com.au> To: Vladimir Terziev <vladimir.terziev@sun-fish.com> Cc: freebsd-hackers@freebsd.org, dom@goodforbusiness.co.uk, rik@cronyx.ru Subject: Re: Remove Heimdal Kerberos from my FreeBSD Message-ID: <200507182144.49399.doconnor@gsoft.com.au> In-Reply-To: <20050718144421.68977452.vlady@sun-fish.com> References: <20050716194319.4375451a.vlady@sun-fish.com> <200507182055.57651.doconnor@gsoft.com.au> <20050718144421.68977452.vlady@sun-fish.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart4331901.KkxNW5LqM0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 18 July 2005 21:14, Vladimir Terziev wrote: > The problem is that third party software is a part of basic software, > which functionality includes authentication and authorization for host > access. A bug in this third party software could become a reason for a ho= st > compromise even the functionality of the third party software in not used > (e.g. bug in the kerberos libs could involve sshd/telnetd compromise). I think you can extend this argument to just about any piece of software on= =20 the system.. > When you really need a kerberos authentication then re-build the > respective software in order to have it. But in that case, you'll be aware > that your access-granting software depends on something other and you'll = be > aware to keep this something other up-to-date and bugless. That is a pretty major inconvenience. It's like saying "Oh well if you want= to=20 use NSS you should rebuild things" - you can do it but it's very=20 inconvenient. There is always a trade off but it seems most people don't think Heimdal is= =20 insecure enough to disable by default. (Has it has any bugs that have been= =20 exploitable in an unused configuration recently? I don't believe so). Personally I'd be more worried about the PAM code. =2D-=20 Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C --nextPart4331901.KkxNW5LqM0 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBC25055ZPcIHs/zowRAqsPAJwMON0Yc+QooK0Ltt3ESxiK/Qt8CwCeJvfa cWZm0Wc9lOoqvijXisDF1qg= =pzhX -----END PGP SIGNATURE----- --nextPart4331901.KkxNW5LqM0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507182144.49399.doconnor>