Remove Heimdal Kerberos from my FreeBSD
Daniel O'Connor
doconnor at gsoft.com.au
Mon Jul 18 12:15:31 GMT 2005
On Monday 18 July 2005 21:14, Vladimir Terziev wrote:
> The problem is that third party software is a part of basic software,
> which functionality includes authentication and authorization for host
> access. A bug in this third party software could become a reason for a host
> compromise even the functionality of the third party software in not used
> (e.g. bug in the kerberos libs could involve sshd/telnetd compromise).
I think you can extend this argument to just about any piece of software on
the system..
> When you really need a kerberos authentication then re-build the
> respective software in order to have it. But in that case, you'll be aware
> that your access-granting software depends on something other and you'll be
> aware to keep this something other up-to-date and bugless.
That is a pretty major inconvenience. It's like saying "Oh well if you want to
use NSS you should rebuild things" - you can do it but it's very
inconvenient.
There is always a trade off but it seems most people don't think Heimdal is
insecure enough to disable by default. (Has it has any bugs that have been
exploitable in an unused configuration recently? I don't believe so).
Personally I'd be more worried about the PAM code.
--
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
"The nice thing about standards is that there
are so many of them to choose from."
-- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20050718/5259f9bc/attachment.bin
More information about the freebsd-hackers
mailing list