Re: HEAD's UP: possible 0day SSH exploit in the wild
pod, Thu Jul 09 2009 21:38:31 GMT+0200 (CEST):
> Peter Jordan <usernetwork@gmx.info> writes:
>
>> It is not my decission to isolate kerberos.
>>
>> Is it safe to open kerberos for the world?
>
> It's not clear that anyone on this list can answer that question since it
> depends on what "safe" and "kerberos" mean in the context of your
> organization. The meaning of "safe" is defined by the organizational
> security policy and the meaning of "kerberos" will depend on which
> implementation has been used.
>
> For example there seems to be a school of thought amongst certain
> deployers of Active Directory (a component of which is a kerberos KDC)
> that it should not be exposed more widely than strictly necessary. There
> are however plenty of deployments of Heimdal and MIT KDCs that are exposed
> to the world and, incidentally, derive much advantage by so doing.
>
>
It would be a stand alone MIT KDC (with krb-rsh) on debian lenny.
"safe" in the sense of "you better attack the services which depends on
kerberos than kerberos itself"
PJ
Reply to: