Обсуждение: Re: [PATCHES] Removing Kerberos 4

Поиск
Список
Период
Сортировка

Re: [PATCHES] Removing Kerberos 4

От
"Magnus Hagander"
Дата:
> > Last chance for any Kerberos 4 users to speak up --- otherwise I'll
> > apply this soon.
>
> If you just want someone to test it I can do that. I don't
> actually use it normally though.

I don't think "just testing" is enough - somebody needs to actually
maintain it...


> As far as security issues the only issues I'm aware of is a)
> it uses plain DES which is just a 56 bit key and crackable by
> brute force and b) cross-domain authentication is broken.

Yeah. But it has been declared dead by the Kerberos folks
(http://www.faqs.org/faqs/kerberos-faq/general/section-7.html. And this
document is from 2000, an dit was declared already then)...


//Magnus

Re: [PATCHES] Removing Kerberos 4

От
Tom Lane
Дата:
"Magnus Hagander" <mha@sollentuna.net> writes:
> Yeah. But it has been declared dead by the Kerberos folks
> (http://www.faqs.org/faqs/kerberos-faq/general/section-7.html. And this
> document is from 2000, an dit was declared already then)...

Right.  The real question here is who's going to be using a 2005
database release with a pre-2000 security system?  There's a fair
amount of code there and no evidence that time spent on testing
and maintaining it is going to benefit anyone anymore.

If someone wakes up and says "hey, I'm still ACTUALLY using that code",
I'm willing to forbear ... but otherwise I think its time is long gone.

            regards, tom lane

Re: [GENERAL] [PATCHES] Removing Kerberos 4

От
"Jim C. Nasby"
Дата:
On Wed, Jun 22, 2005 at 04:39:15PM -0400, Tom Lane wrote:
> "Magnus Hagander" <mha@sollentuna.net> writes:
> > Yeah. But it has been declared dead by the Kerberos folks
> > (http://www.faqs.org/faqs/kerberos-faq/general/section-7.html. And this
> > document is from 2000, an dit was declared already then)...
>
> Right.  The real question here is who's going to be using a 2005
> database release with a pre-2000 security system?  There's a fair
> amount of code there and no evidence that time spent on testing
> and maintaining it is going to benefit anyone anymore.
>
> If someone wakes up and says "hey, I'm still ACTUALLY using that code",
> I'm willing to forbear ... but otherwise I think its time is long gone.

While I agree, if it's easy to just disable kerb without actually
ripping the code out right now that might be a tad 'safer', as there
might be some users who are using it but don't read the mailling lists.

Has Kerb4 been marked as depricated in the docs at all? If not it might
be best to just do that and then yank it later.
--
Jim C. Nasby, Database Consultant               decibel@decibel.org
Give your computer some brain candy! www.distributed.net Team #1828

Windows: "Where do you want to go today?"
Linux: "Where do you want to go tomorrow?"
FreeBSD: "Are you guys coming, or what?"