Обсуждение: Re: [PATCHES] Removing Kerberos 4
> > Last chance for any Kerberos 4 users to speak up --- otherwise I'll > > apply this soon. > > If you just want someone to test it I can do that. I don't > actually use it normally though. I don't think "just testing" is enough - somebody needs to actually maintain it... > As far as security issues the only issues I'm aware of is a) > it uses plain DES which is just a 56 bit key and crackable by > brute force and b) cross-domain authentication is broken. Yeah. But it has been declared dead by the Kerberos folks (http://www.faqs.org/faqs/kerberos-faq/general/section-7.html. And this document is from 2000, an dit was declared already then)... //Magnus
"Magnus Hagander" <mha@sollentuna.net> writes: > Yeah. But it has been declared dead by the Kerberos folks > (http://www.faqs.org/faqs/kerberos-faq/general/section-7.html. And this > document is from 2000, an dit was declared already then)... Right. The real question here is who's going to be using a 2005 database release with a pre-2000 security system? There's a fair amount of code there and no evidence that time spent on testing and maintaining it is going to benefit anyone anymore. If someone wakes up and says "hey, I'm still ACTUALLY using that code", I'm willing to forbear ... but otherwise I think its time is long gone. regards, tom lane
On Wed, Jun 22, 2005 at 04:39:15PM -0400, Tom Lane wrote: > "Magnus Hagander" <mha@sollentuna.net> writes: > > Yeah. But it has been declared dead by the Kerberos folks > > (http://www.faqs.org/faqs/kerberos-faq/general/section-7.html. And this > > document is from 2000, an dit was declared already then)... > > Right. The real question here is who's going to be using a 2005 > database release with a pre-2000 security system? There's a fair > amount of code there and no evidence that time spent on testing > and maintaining it is going to benefit anyone anymore. > > If someone wakes up and says "hey, I'm still ACTUALLY using that code", > I'm willing to forbear ... but otherwise I think its time is long gone. While I agree, if it's easy to just disable kerb without actually ripping the code out right now that might be a tad 'safer', as there might be some users who are using it but don't read the mailling lists. Has Kerb4 been marked as depricated in the docs at all? If not it might be best to just do that and then yank it later. -- Jim C. Nasby, Database Consultant decibel@decibel.org Give your computer some brain candy! www.distributed.net Team #1828 Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?"