Re: Kerberos V anyone?
>>>>> "Alexander" == Alexander Hvostov <vulture@aoi.dyndns.org> writes:
Alexander> Brian, Ah, yes. I knew I saw something about Kerberos V
Alexander> in the package lists.
Alexander> How good is Heimdal, security/progress wise?
progress wise:
It mostly works, but some bugs still exist. eg with the version in
woody, I cannot get ftp to work. The version in potato works fine. I
haven't had time to look at the problem yet, but it looks like the
client cannot decrypt messages from the server for some reason.
I frequently run cvs over kerberos rsh without any problems (although
compression would be nice...).
The only thing I currently miss, is not being able to run debsign via
some sort of Kerberos process. Files can be copied using rsync and
rsh, but gpg needs a TTY in order to ask for the pass-phrase. rsh does
not allocate a TTY for it.
Heimdal (not sure what version, I think the potato version has it
though) now supports putting realm configuration information into DNS
rather then relying on /etc/krb5.conf.
security wise:
I don't think either implementation has had security closely audited
(especially the BSD type apps, as distinct from the Kerberos
libraries), and I would be cautious with using them to secure mission
critical systems, without checking the source code first.
The rsh protocol needs to be updated, the current version (used by
both implementations) sends the command line in clear text, even with
encryption enabled (I think it is secured from alteration though).
Also, I seem to remember I had some concerns with the FTP
client/server accepting clear messages, even if encryption was
enabled. IIRC, MIT was worse then Heimdal in this regard (I don't
think Heimdal was a security risk), but both may have been fixed since
I last checked.
I hope that explains the situation...
--
Brian May <bam@debian.org>
Reply to: