The problem is that third party software is a part of basic software, which
functionality includes authentication and authorization for host access. A bug
in this third party software could become a reason for a host compromise even
the functionality of the third party software in not used (e.g. bug in the
kerberos libs could involve sshd/telnetd compromise).
When you really need a kerberos authentication then re-build the respective
software in order to have it. But in that case, you'll be aware that your
access-granting software depends on something other and you'll be aware to keep
this something other up-to-date and bugless.
Vladimir
On Mon, 18 Jul 2005 20:55:57 +0930
"Daniel O'Connor" <[EMAIL PROTECTED]> wrote:
> On Monday 18 July 2005 18:03, Vladimir Terziev wrote:
> > your right about useless things, but making basic software to depend on
> > these useless things is a very bad idea. I'm sure, telnet & ssh are the
> > most used applications on any UNIX system, so they must not depend on any
> > third party software by default. If you need kerberized ssh or telnet, then
> > ok -- relink them to use kerberos, but why possible bugs in kerberos should
> > affect ssh & telnet when kerberos is not mandantory for their functioning ?
>
> I think this is slightly disingenuous - what is the actual penalty for
> linking
> to Kerberos?
>
> It is easy to not use Kerberos if you don't want to, but it's a major pain in
> the ass to recompile ssh/telnet/etc when you do.
>
> --
> Daniel O'Connor software and network engineer
> for Genesis Software - http://www.gsoft.com.au
> "The nice thing about standards is that there
> are so many of them to choose from."
> -- Andrew Tanenbaum
> GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
>
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
