Minimal Install Option

Chris Ricker kaboom at gatech.edu
Thu Aug 21 20:47:10 UTC 2003 

On Thu, 21 Aug 2003, Bill Anderson wrote:

> > Wrong one. I wanted pam_krb5, which was also on your list. Makes sense on 
> > interior routers (as might ssh, for the same reasons/uses), doesn't on 
> > exterior.
> 
> Ahh, ok. However, below, you say no logging in remotely at all, so why
> pam_krb at all then? The only time someone should need to log into a
> firewall/router, is for administrative purposes.

Right, but we're talking about different machines there.

My point, which seems to have been lost in all sorts of security - related 
sidetracks, was that "firewall / router" is not one category. It's all of:

* interior router in large organization, preferably managed out-of-band over 
serial but probably managed in-band b/c the realities are what they are

* border router in large organization, possibly managed in-band, possibly 
out-of-band

* interior firewall in large organization -- you often see both there

* border firewall in large organization -- managed out-of-band, usually

* home firewall, no dhcp 

* home firewall, need dhcp


And that's nowhere near to covering all of them, ignores smaller shops
(where pretty much everything is managed remotely in-band, often by 3rd
parties), is based on my opinions / perceptions / experience -- which 
probably don't match yours, and uses broad categorizations like border or 
interior which don't really neatly apply

Having one category that happily fits all those just isn't going to happen.

The closest would be something more like the debian install -- do a minimal 
install of basically kernel + libc + network (if needed), then boot into the 
new machine and install the rest using firstboot. And even that's likely to 
not make everyone happy, since we can't even seem to decide if ftp or http 
or both clients should be included! ;-)

> To my understanding (correct me if I'm wrong here) Kerberos only handles
> auth, it does not encrypt traffic.

yes, mostly. It does offer encrypted replacements for some protocols 
(telnet, part of the ftp connection, rprotocols), but generally it's a
secure authentication protocol

> Thus, moving files to it using kerberos auth will still leave those files
> plaintext over the wire. Thus, for things like this ssh is a more secure
> -in general- option.

They're not either-ors. You can use krb for scp authentication, for example.

later,
chris

More information about the fedora-test-list mailing list