David Cross @david@mastodon.crossfamilyweb.com
- OS
- FreeBSD
- Database
- PostgreSQL
FreeBSD enthusiast and regular contributor. I have opinions!
Joined Apr 2017
omg... upgrade successful!
That was definitely my first impression of kerberos too.. Like 'things need to VOLUNTARILY check this..that isn't security!' And that is true-ish for local things, like emacs isn't going to check this before it opens a file.
What it does for me though is means I can SSH (and not need to manage host keys even!), or GIT, or email, or webpages and NOT need to store my plaintext equivalent password all of those places. Is it overkill for me? almost certainly yes!
Disclosure: I wrote the MIT Kerberos implementation of the RC4-HMAC windows interoperability crypto system... so I am huge fanboi of Kerberos, and MIT Kerberos specifically ;)
Honestly, that felt like a knee-jerk reaction (libressl).. and even more-so with Heimdal. Both of those projects get EXTENSIVE scrutiny by being used so many places and looked at by security researchers and even government agencies.. which yes.. that last group definitely has a complicated history with disclosure.
There's this bit too with keeping the GSSAPI KeyExchange code out of openssh... but at least this is consistent if they yoinked Heimdal.
3. lots of things just expect LDAP for this and natively integrate. Things like redmine, trac, etc (see also account adjacent information). Without LDAP each one of these winds up having its own separate user db that then needs to be managed separately.
That's it, I promise!
2. There's an ever-growing amount of 'account adjacent' information that needs to be coordinated; I use it for the kerberos keys themselves (so I actually don't have a separate KDC database, the KDC uses LDAP), the KDC then throws a bunch of other information onto the account that it actually cannot even do with its native DB
2/3
@cynicalsecurity wow, removed in 5.6, TIL (2014).. listed as improving security; Curious to hear more about that.
LDAP; great question, and yeah to be totally honest it is (at best) an awkward fit with the Unix philosophy. Really it comes down a few things.
1. There really isn't anything else to securely distribute this information.
1/2
@cynicalsecurity So I use both Kerberos and LDAP at home, in fact I have 3 separate kerberos domains at home (yes, I know I am not normal). NIS certainly had its elegance in simplicity and LDAP has its issues, but it works pretty well together. I am happy to give pointers and howtos. My setup tends to be a bit BigIron ™️
David Cross
boosted
This is worth sharing.
It's an animated GIF where every frame is a valid QR code that leads to the "Never Gonna Give You Up" rickroll.
That's kind of amazing.
@lattera do i get more hints than that? 😉
@lattera what are these OOC? I see you post them randomly (ok, they are almost certainly hashes. But of what? And why post them?)
@menelkir@bsd.network 😒😛
@menelkir@bsd.network tell me more!!!
@lattera ouch on those 🥩 prices
David Cross
boosted
A proof of concept: running OpenBSD on the PinePhone https://www.undeadly.org/cgi?action=article;sid=20220126191703 #openbsd #pinephone <
@bcallah you’re old!!! Just wait til you start recognizing songs in the grocery store as ones you grew up to! 😂
- OS
- FreeBSD
- Database
- PostgreSQL
FreeBSD enthusiast and regular contributor. I have opinions!
Joined Apr 2017
