On Mon, 18 Jul 2005, Vladimir Terziev wrote:
The problem is that third party software is a part of basic software,
which functionality includes authentication and authorization for host
access. A bug in this third party software could become a reason for a
host compromise even the functionality of the third party software in
not used (e.g. bug in the kerberos libs could involve sshd/telnetd
compromise).
When you really need a kerberos authentication then re-build the
respective software in order to have it. But in that case, you'll be
aware that your access-granting software depends on something other and
you'll be aware to keep this something other up-to-date and bugless.
Expectations have changed over the last few years -- support for
integrating into directory services, such as Active Directory and/or
Kerberos, is now considered a basic expectation for operating systems, and
as such is a "built by default" feature.
Any time you increase the quantity of code, especially
security/network-sensitive code, you increase the opportunity for
problems, but where one sits on the spectrum of "enabled by default"
functionality has to be a response to user requirements. The direction
we've been going in to minimize exposure has been to disable features at
run-time, rather than compile-time. I.e., we no longer enable telnetd,
ftpd, etc, by default -- they must be explicitly enabled.
Robert N M Watson
Vladimir
On Mon, 18 Jul 2005 20:55:57 +0930
"Daniel O'Connor" <[EMAIL PROTECTED]> wrote:
On Monday 18 July 2005 18:03, Vladimir Terziev wrote:
your right about useless things, but making basic software to depend on
these useless things is a very bad idea. I'm sure, telnet & ssh are the
most used applications on any UNIX system, so they must not depend on any
third party software by default. If you need kerberized ssh or telnet, then
ok -- relink them to use kerberos, but why possible bugs in kerberos should
affect ssh & telnet when kerberos is not mandantory for their functioning ?
I think this is slightly disingenuous - what is the actual penalty for linking
to Kerberos?
It is easy to not use Kerberos if you don't want to, but it's a major pain in
the ass to recompile ssh/telnet/etc when you do.
--
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
"The nice thing about standards is that there
are so many of them to choose from."
-- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
