SEO

Sincerest thanks for the explanation Marco.


Perhaps one less thing for me to worry about.


Best Regards , An Odd User.

Nomen Nescio <nobody@dizum.com> wrote:
> Sincerest thanks for the explanation Marco.

The services running by default are secure and required for running
OpenBSD reliably. SMTP is running on localhost so it cannot be remotely
compromised. Time services (time, daytime) are secure -they will ignore
any input as syslogd does by default right now- and useful for time
synchronization (using rdate(1)) without requiring a full NTP server
running on one of the local network servers. auth is not a dangerous
service either and required for sending email to some external systems
(and for IRC too, but it is not the main reason it is enabled by default).
Some MTAs will reject or delay connections when this service is not running.

As you can see, most services are running on the loopback interface
or can be trusted (will send information but never accept input from
remote hosts). As outlined in this post, privilege separation makes
an attack against these services mostly useless even if it is successful.

> Perhaps one less thing for me to worry about.

Sure, OpenBSD is a nicely closed operating system these days. Any service
running by default is configured at its most secure defaults. Just enjoy
the quality of the operating system without worrying about security
weaknesses (at least if you do not enable unsecure services, do not
make serious management mistakes, and upgrade the operating system
at least one or two times each year).

In any case, I do not like OpenBSD because it is secure. I like it
because it is the best documented operating system I know of, it is
highly reliable, and developers care about details that other projects
will just ignore. In other words, I do not like OpenBSD because it is
secure but because it is just the best operating system available in both
servers and workstations. (I like the design of OpenVMS too, but it does
not run on the platforms I usually own and it is expensive -even under
the hobbyst program, the requirement to upgrade the licenses each year
makes it a dangerous choice-)

Cheers,
Igor.

IIRC, AFS uses Kerberos 4 as its authentication layer. So Kerb 4 is not
entirely useless... at least for AFS users on OpenBSD.

--
Replying directly will get you locally blacklisted.
Change the address; use my first name in front of the @ if you want to
communicate privately.

Josh Grosse <spamtrap@jggimi.homeip.net> wrote:
> IIRC, AFS uses Kerberos 4 as its authentication layer. So Kerb 4 is not
> entirely useless... at least for AFS users on OpenBSD.

Hi Josh.

Thanks a lot for your feedback. Indeed, Kerberos 4 is supported
yet in heimdal. It can serve Kerberos version 4 clients by removing
pre-authentication, and has the ability to respond to kerberos 4
requests (--kerberos4). I read about it some days ago, but I just
dropped this thread and do not provided feedback.

Cheers,
Igor.