[1901] in Kerberos-V5-bugs
Re: Review of install.texi
daemon@ATHENA.MIT.EDU (Sam Hartman)
Sun Apr 21 13:58:14 1996
To: John Hawkinson <jhawk@MIT.EDU>
Cc: krb5-bugs@MIT.EDU
From: Sam Hartman <hartmans@MIT.EDU>
Date: 21 Apr 1996 13:58:08 -0400
In-Reply-To: John Hawkinson's message of Sun, 21 Apr 1996 05:10:26 -0400
>>>>> "jhawk" == John Hawkinson <jhawk@MIT.EDU> writes:
jhawk> I just went through install.texi, and did node-by-node comments.
jhawk> Some of them are a bit picky/pedantic, but some of them are real.
Thanks much.
>> File: install, Node: Alpha OSF/1 V1.3, Next: Alpha OSF/1 V2.0++, Prev: Ultrix 4.2/3, Up: OS Incompatibilities
>> There is a bug in OSF/1's fgrep which causes the `configure' script
>> to fail.
jhawk> configure should never fail. Fix the configure script to not call
jhawk> fgrep or to detect the fgrep failure and yell.
I think many of the points in this node are areas that could
be handled sort of by configure, but that we haven't taken time to
deal with because there are larger bugs. Documenting the bugs is
reasonable in this situation.
jhawk> It is misleading to state that host-based services are necessarily
jhawk> less secure than passworded services. In some environments
jhawk> (particularly those firewalled or those that use host-level
jhawk> encryption, like IPsec), it is more reasonable to trust IP addresses
jhawk> than passwords (additionally sending passwords may allow them to be
jhawk> eavesdropped and then later used; if the attacker is not capable of
jhawk> forging IP packets, host-based services are more secure).
Point well taken, but ignored for the present. I don't have
time to restate clearly.
>> host-based services.These services use an IP address or
jhawk> Needs space after period.
Grrh. It's all too easy for me to not notice those. I should
remember to do the appropriate regexp searches.
>> Therefore, if Kerberos4 interoperability is desired or required, try
>> to avoid running unencrypted Kerberos4 services wherever possible. In
>> particular, only enable encrypted `rlogin' if at all possible.
jhawk> Huh? Isn't "telnet -ax site <PAUSE> ^[ enc stat" the most secure option?
No, authenticator replay is useful against telnet, but not
against a host that only runs encrypted rlogin.
--Sam
