On Monday 18 July 2005 21:14, Vladimir Terziev wrote: > The problem is that third party software is a part of basic software, > which functionality includes authentication and authorization for host > access. A bug in this third party software could become a reason for a host > compromise even the functionality of the third party software in not used > (e.g. bug in the kerberos libs could involve sshd/telnetd compromise).
I think you can extend this argument to just about any piece of software on the system.. > When you really need a kerberos authentication then re-build the > respective software in order to have it. But in that case, you'll be aware > that your access-granting software depends on something other and you'll be > aware to keep this something other up-to-date and bugless. That is a pretty major inconvenience. It's like saying "Oh well if you want to use NSS you should rebuild things" - you can do it but it's very inconvenient. There is always a trade off but it seems most people don't think Heimdal is insecure enough to disable by default. (Has it has any bugs that have been exploitable in an unused configuration recently? I don't believe so). Personally I'd be more worried about the PAM code. -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
pgp5TEeoxa9MN.pgp
Description: PGP signature