Remove Heimdal Kerberos from my FreeBSD

Robert Watson rwatson at FreeBSD.org
Mon Jul 18 15:09:14 GMT 2005 

On Mon, 18 Jul 2005, Vladimir Terziev wrote:

>   The problem is that third party software is a part of basic software, 
> which functionality includes authentication and authorization for host 
> access. A bug in this third party software could become a reason for a 
> host compromise even the functionality of the third party software in 
> not used (e.g. bug in the kerberos libs could involve sshd/telnetd 
> compromise).
>
>   When you really need a kerberos authentication then re-build the 
> respective software in order to have it. But in that case, you'll be 
> aware that your access-granting software depends on something other and 
> you'll be aware to keep this something other up-to-date and bugless.

Expectations have changed over the last few years -- support for 
integrating into directory services, such as Active Directory and/or 
Kerberos, is now considered a basic expectation for operating systems, and 
as such is a "built by default" feature.

Any time you increase the quantity of code, especially 
security/network-sensitive code, you increase the opportunity for 
problems, but where one sits on the spectrum of "enabled by default" 
functionality has to be a response to user requirements. The direction 
we've been going in to minimize exposure has been to disable features at 
run-time, rather than compile-time.  I.e., we no longer enable telnetd, 
ftpd, etc, by default -- they must be explicitly enabled.

Robert N M Watson

>
> 	Vladimir
>
>
> On Mon, 18 Jul 2005 20:55:57 +0930
> "Daniel O'Connor" <doconnor at gsoft.com.au> wrote:
>
>> On Monday 18 July 2005 18:03, Vladimir Terziev wrote:
>>>    your right about useless things, but making basic software to depend on
>>> these useless things is a very bad idea. I'm sure, telnet & ssh are the
>>> most used applications on any UNIX system, so they must not depend on any
>>> third party software by default. If you need kerberized ssh or telnet, then
>>> ok -- relink them to use kerberos, but why possible bugs in kerberos should
>>> affect ssh & telnet when kerberos is not mandantory for their functioning ?
>>
>> I think this is slightly disingenuous - what is the actual penalty for linking
>> to Kerberos?
>>
>> It is easy to not use Kerberos if you don't want to, but it's a major pain in
>> the ass to recompile ssh/telnet/etc when you do.
>>
>> --
>> Daniel O'Connor software and network engineer
>> for Genesis Software - http://www.gsoft.com.au
>> "The nice thing about standards is that there
>> are so many of them to choose from."
>>   -- Andrew Tanenbaum
>> GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
>>
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
>

More information about the freebsd-hackers mailing list