Remove Heimdal Kerberos from my FreeBSD

Vladimir Terziev vladimir.terziev at
Mon Jul 18 11:44:24 GMT 2005

   The problem is that third party software is a part of basic software, which functionality includes authentication and authorization for host access. A bug in this third party software could become a reason for a host compromise even the functionality of the third party software in not used (e.g. bug in the kerberos libs could involve sshd/telnetd compromise).

   When you really need a kerberos authentication then re-build the respective software in order to have it. But in that case, you'll be aware that your access-granting software depends on something other and you'll be aware to keep this something other up-to-date and bugless.


On Mon, 18 Jul 2005 20:55:57 +0930
"Daniel O'Connor" <doconnor at> wrote:

> On Monday 18 July 2005 18:03, Vladimir Terziev wrote:
> >    your right about useless things, but making basic software to depend on
> > these useless things is a very bad idea. I'm sure, telnet & ssh are the
> > most used applications on any UNIX system, so they must not depend on any
> > third party software by default. If you need kerberized ssh or telnet, then
> > ok -- relink them to use kerberos, but why possible bugs in kerberos should
> > affect ssh & telnet when kerberos is not mandantory for their functioning ?
> I think this is slightly disingenuous - what is the actual penalty for linking 
> to Kerberos?
> It is easy to not use Kerberos if you don't want to, but it's a major pain in 
> the ass to recompile ssh/telnet/etc when you do.
> -- 
> Daniel O'Connor software and network engineer
> for Genesis Software -
> "The nice thing about standards is that there
> are so many of them to choose from."
>   -- Andrew Tanenbaum
> GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C

More information about the freebsd-hackers mailing list