Minimal Install Option
Chris Ricker
kaboom at gatech.edu
Thu Aug 21 20:47:10 UTC 2003
On Thu, 21 Aug 2003, Bill Anderson wrote:
> > Wrong one. I wanted pam_krb5, which was also on your list. Makes sense on
> > interior routers (as might ssh, for the same reasons/uses), doesn't on
> > exterior.
>
> Ahh, ok. However, below, you say no logging in remotely at all, so why
> pam_krb at all then? The only time someone should need to log into a
> firewall/router, is for administrative purposes.
Right, but we're talking about different machines there.
My point, which seems to have been lost in all sorts of security - related
sidetracks, was that "firewall / router" is not one category. It's all of:
* interior router in large organization, preferably managed out-of-band over
serial but probably managed in-band b/c the realities are what they are
* border router in large organization, possibly managed in-band, possibly
out-of-band
* interior firewall in large organization -- you often see both there
* border firewall in large organization -- managed out-of-band, usually
* home firewall, no dhcp
* home firewall, need dhcp
And that's nowhere near to covering all of them, ignores smaller shops
(where pretty much everything is managed remotely in-band, often by 3rd
parties), is based on my opinions / perceptions / experience -- which
probably don't match yours, and uses broad categorizations like border or
interior which don't really neatly apply
Having one category that happily fits all those just isn't going to happen.
The closest would be something more like the debian install -- do a minimal
install of basically kernel + libc + network (if needed), then boot into the
new machine and install the rest using firstboot. And even that's likely to
not make everyone happy, since we can't even seem to decide if ftp or http
or both clients should be included! ;-)
> To my understanding (correct me if I'm wrong here) Kerberos only handles
> auth, it does not encrypt traffic.
yes, mostly. It does offer encrypted replacements for some protocols
(telnet, part of the ftp connection, rprotocols), but generally it's a
secure authentication protocol
> Thus, moving files to it using kerberos auth will still leave those files
> plaintext over the wire. Thus, for things like this ssh is a more secure
> -in general- option.
They're not either-ors. You can use krb for scp authentication, for example.
later,
chris
More information about the fedora-test-list
mailing list