Return to BSD News archive
Xref: sserve comp.sys.powerpc:31085 comp.sys.intel:27925 comp.os.misc:3656 comp.unix.bsd:15806 comp.unix.pc-clone.32bit:7960 comp.unix.sys5.r4:9005 comp.unix.misc:15396 comp.os.linux.development:22018 comp.os.linux.misc:32760 comp.os.linux.misc:32761 comp.os.386bsd.development:2969 comp.os.386bsd.misc:4656 Path: sserve!newshost.anu.edu.au!munnari.oz.au!yarrina.connect.com.au!harbinger.cc.monash.edu.au!msunews!uwm.edu!spool.mu.edu!bloom-beacon.mit.edu!senator-bedfellow.mit.edu!yaz-pistachio.MIT.EDU!ghudson From: ghudson@mit.edu (Greg Hudson) Newsgroups: comp.sys.powerpc,comp.sys.intel,comp.os.misc,comp.unix.bsd,comp.unix.pc-clone.32bit,comp.unix.sys5.r4,comp.unix.misc,comp.os.linux.development,comp.os.linux.misc,comp.os.linux.misc,comp.os.386bsd.development,comp.os.386bsd.misc Subject: Re: Interested in PowerPC for Linux / FreeBSD / NetBSD? Followup-To: comp.sys.powerpc,comp.sys.intel,comp.os.misc,comp.unix.bsd,comp.unix.pc-clone.32bit,comp.unix.sys5.r4,comp.unix.misc,comp.os.linux.development,comp.os.linux.misc,comp.os.linux.misc,comp.os.386bsd.development,comp.os.386bsd.misc Date: 31 Dec 1994 07:57:43 GMT Organization: Massachvsetts Institvte of Technology Lines: 29 Message-ID: <3e32tn$2ii@senator-bedfellow.MIT.EDU> References: <3cilp3$143@news-2.csn.net> <3d4ucp$sbn@hearst.cac.psu.edu> <SCHWARTZ.94Dec31002050@galapagos.cse.psu.edu> NNTP-Posting-Host: yaz-pistachio.mit.edu X-Newsreader: TIN [version 1.2 PL2] (I hate to crosspost to this many newsgroups, but I don't know which groups are read by the people in this particular subthread, nor is there a group appropriate for discussions of NFS security. Do all of the people involved read comp.os.linux.development?) Scott Schwartz (schwartz@galapagos.cse.psu.edu) wrote: : Fine, but given the must-have thing you mention just above, they can : just use that with no hassles. Why have two things in the os when one : will do? The problem is that most distributed security software doesn't work in a vacuum. To use Kerberos, you need a physically secure and network-secure machine at your site which contains a database of secret keys. Setting this up isn't terribly hard (some of my friends boast that they can do it while holding their breath), but securing the machine is both difficult and expensive. A security system based on public-key encryption would eliminate the need for keeping the master database secret, but client machines still need a secure (though not private) channel to the master database, and you need to protect it from tampering. There is a long way to go to achieve reliable distributed security with "no hassles." That said, I think Kerberos is highly preferrable to traditional, draconian security measures such as firewalls, in terms of the level of security (a firewall doesn't protect against inside jobs), the level of flexbility, and the level of accountability. I suppose this isn't too surprising coming from an MIT student, though.