Skip Menu |
 

To: krb5-bugs@mit.edu
Subject: VU#623217 VU#442569: krb4 insecure
Date: Sun, 16 Mar 2003 19:56:29 -0500 (EST)
From: hartmans@MIT.EDU (Sam Hartman)


Kerberos v4 cross-realm has cryptographic weaknesses. There are also
weaknesses in the 3DES krb4 support MIT introduced.

This is a tracking bug for the fixes to this.
From: hartmans@mit.edu
Subject: CVS Commit
Disable krb4 cross-realm in krb524d and krb5kdc. Provide an option to
reenable (-X) which prints a warning that you are creating a security
hole.

Remove support for generating krb4 tickets encrypted using 3DES
service keys as it is insecure. They are still accepted however.

The KDc is much more strict about accepting only tickets that it would
have issued in the current configuration. In particular if the KDC
would choose some enctype for writing a TGT, other enctypes will not
be accepted when using a TGT.


To generate a diff of this commit:



cvs diff -r5.251 -r5.252 krb5/src/kdc/ChangeLog
cvs diff -r5.53 -r5.54 krb5/src/kdc/kdc_util.h
cvs diff -r5.87 -r5.88 krb5/src/kdc/kerberos_v4.c
cvs diff -r5.115 -r5.116 krb5/src/kdc/main.c
cvs diff -r1.122 -r1.123 krb5/src/krb524/ChangeLog
cvs diff -r1.28 -r1.29 krb5/src/krb524/cnv_tkt_skey.c
cvs diff -r1.55 -r1.56 krb5/src/krb524/krb524d.c
cvs diff -r5.147 -r5.148 krb5/src/lib/kdb/ChangeLog
cvs diff -r5.16 -r5.17 krb5/src/lib/kdb/keytab.c
From: tlyu@mit.edu
Subject: CVS Commit
Pull up fix for [1385].


To generate a diff of this commit:



cvs diff -r5.251 -r5.251.2.1 krb5/src/kdc/ChangeLog
cvs diff -r5.53 -r5.53.2.1 krb5/src/kdc/kdc_util.h
cvs diff -r5.87 -r5.87.2.1 krb5/src/kdc/kerberos_v4.c
cvs diff -r5.115 -r5.115.2.1 krb5/src/kdc/main.c
cvs diff -r1.122 -r1.122.2.1 krb5/src/krb524/ChangeLog
cvs diff -r1.28 -r1.28.2.1 krb5/src/krb524/cnv_tkt_skey.c
cvs diff -r1.55 -r1.55.2.1 krb5/src/krb524/krb524d.c
cvs diff -r5.147 -r5.147.2.1 krb5/src/lib/kdb/ChangeLog
cvs diff -r5.16 -r5.16.2.1 krb5/src/lib/kdb/keytab.c