Re: Kerberos, again

To: debian-devel@lists.debian.org
Subject: Re: Kerberos, again
From: Brian May <bam@snoopy.apana.org.au>
Date: Thu, 21 Oct 1999 10:11:03 +1000
Message-id: <[🔎] 19991021101103.A13344@snoopy.apana.org.au>
Mail-followup-to: debian-devel@lists.debian.org
Reply-to: bam@snoopy.apana.org.au
In-reply-to: <[🔎] 199910200301.VAA16607@eris.coyotesong.com>

In article <[🔎] 199910200301.VAA16607@eris.coyotesong.com> you write:
>The three significant objections in the past were:
>
> - US export restrictions (possibly removed in December, and since
>   Windows 2000 uses Kerberos I can't put off releasing my own
>   Kerberized packages any later, just to avoid the "we have Kerberos
>   and you don't" crap that the spinsters would otherwise try)

Not a problem for the Heimdal version, it is not developed in USA.

However, I think Windows 2000 support is still in its earlier stages.

> - MIT Kerberos 5 1.0.5 used single DES, a fairly weak cipher.  
>   MIT Kerberos 5 1.1 uses triple DES for one type of transaction, and 
>   work is proceeding towards adding it to others.
>
> - Some countries ban importing strong crypto, but that's already a
>   problem with non-US.  The kerberized packages would simply go under
>   a new section.  (In my affinity distro, I was putting everything
>   under a new 'coyote' section.)

Plus one more:

- Coding standards in MIT's implementation are sloppy, if not
dangerously insecure. Perhaps this has already been fixed in the latest
version, but last I looked (version 1.0.5 I think), the ftpd daemon
could be tricked into processing an insecure control message when
encryption was turned on. Or perhaps I am entirely confused.

I asked about another problem on comp.protocols.kerberos (is that
correct?) where the command line for rsh is always transmitted
in clear-text, even when encryption is enabled. Yuck!!! I 
only got one response ("I agree") from that newsgroup. Somebody
from the Heimdal group (see below) acknowledged that this is
a known limitation in the current rsh protocol.

(note on above: I suspect the command line is protected from alteration
by something like md5sum, but so far no-one has confirmed or denied
this).

The Heimdal implementation of Kerberos, while still under active
development, and not "officially announced" yet, has more security
checks in its ftpd daemon, and bugs are actively being fixed (the same
person complained to me that this was not the case for MITs version - I
find it hard to believe though).

Personally, I would feel much more comfortable with Kerberos (any
implementation) if there was some sought of secure-audit done on all the
programs.

Something else I like about Heimdal, is its support for kx and kxd,
which will forward X connections. I don't think that is available in
MITs implementation. Of course, this is really a hacked solution,
the proper way would be Kerberos support within the X libraries.

Another issue:

What is the best way to deal with multiple versions of telnet, rsh,
etc?

telnet is easy, just conflict with telnet and telnetd packages, I think
would be sufficient. However, rsh is in netbase (or has that changed
now)?
-- 
Brian May <bam@snoopy.apana.org.au>

Reply to:

Follow-Ups:
- Re: Kerberos, again
  - From: Joost Kooij <joost@pc47.mpn.cp.philips.com>
- Re: Kerberos, again
  - From: Julian Gilbey <J.D.Gilbey@qmw.ac.uk>

References:
- Kerberos, again
  - From: Bear Giles <bear@coyotesong.com>

Prev by Date: Debian Weekly News - October 20th, 1999
Next by Date: Re: lyx_1.0.4-3 replaces lyx_1.0.4-2
Previous by thread: Kerberos, again
Next by thread: Re: Kerberos, again
Index(es):
- Date
- Thread