On Thu, 21 Aug 2003, Bill Anderson wrote:
Just for a few examples:
krb5-workstation
might be good on a router -- give you secure in-band management capabilities
The package itself in it's description says it is for workstations.
Wrong one. I wanted pam_krb5, which was also on your list. Makes sense on interior routers (as might ssh, for the same reasons/uses), doesn't on exterior.
I definitely want this on a router
Why? Why should a router/firewall be downloading web pages, etc.?
to download files to it when I'm setting it up, patching it, etc.
A minimal install should provide no external services beyond SSH, especially when listed as a firewall/router install.
a firewall shouldn't provide any external services. manage them out-of-band
I'm not sure you are disagreeing with me here. Are you saying don't remote log in to a firewall at all, or are you agreeing with me?
I'm disagreeing. The last thing a fw should do is run a service, let alone one with the security history of ssh.... Manage over serial.
later, chris