Remove Heimdal Kerberos from my FreeBSD
Vladimir Terziev
vladimir.terziev at sun-fish.com
Mon Jul 18 11:44:24 GMT 2005
The problem is that third party software is a part of basic software, which functionality includes authentication and authorization for host access. A bug in this third party software could become a reason for a host compromise even the functionality of the third party software in not used (e.g. bug in the kerberos libs could involve sshd/telnetd compromise).
When you really need a kerberos authentication then re-build the respective software in order to have it. But in that case, you'll be aware that your access-granting software depends on something other and you'll be aware to keep this something other up-to-date and bugless.
Vladimir
On Mon, 18 Jul 2005 20:55:57 +0930
"Daniel O'Connor" <doconnor at gsoft.com.au> wrote:
> On Monday 18 July 2005 18:03, Vladimir Terziev wrote:
> > your right about useless things, but making basic software to depend on
> > these useless things is a very bad idea. I'm sure, telnet & ssh are the
> > most used applications on any UNIX system, so they must not depend on any
> > third party software by default. If you need kerberized ssh or telnet, then
> > ok -- relink them to use kerberos, but why possible bugs in kerberos should
> > affect ssh & telnet when kerberos is not mandantory for their functioning ?
>
> I think this is slightly disingenuous - what is the actual penalty for linking
> to Kerberos?
>
> It is easy to not use Kerberos if you don't want to, but it's a major pain in
> the ass to recompile ssh/telnet/etc when you do.
>
> --
> Daniel O'Connor software and network engineer
> for Genesis Software - http://www.gsoft.com.au
> "The nice thing about standards is that there
> are so many of them to choose from."
> -- Andrew Tanenbaum
> GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
>
More information about the freebsd-hackers
mailing list