Skip Menu |
 

Date: Mon, 23 Oct 2006 10:36:07 -0500 (CDT)
From: Mike Dopheide <dopheide@ncsa.uiuc.edu>
To: kfw-bugs@mit.edu
Subject: Re: kfw-3.1-beta-2 is available
Download (untitled) / with headers
text/plain 8.9KiB

No problems on WinXP with kfw 3.1-beta-2 or 3.0. The password change
takes place and credentials are obtained. (KDC version MIT 1.4.3)

-Dop

On Sat, 21 Oct 2006, Jeffrey Altman wrote:

Show quoted text
> There has been a report indicating that there is a problem with
> the use of NIM to obtain credentials for principals whose password
> has expired. I have been unable to replicate the problem. I would
> appreciate it if other users could try to obtain credentials for a
> principal with an expired password and report back to kfw-bugs@mit.edu
> if there is a problem.
>
> Thanks.
>
> Jeffrey Altman
> Secure Endpoints Inc.
>
> Tom Yu wrote:
>> The MIT Kerberos Development Team is proud to announce the second *BETA*
>> release of the next revision of our Kerberos for Windows product,
>> Version 3.1.
>>
>> Please send bug reports and feedback to kfw-bugs@mit.edu.
>>
>> What's New:
>> ===========
>>
>> Version 3.1 fixes bugs and adds minor functionality:
>>
>> * Improvements to the Network Identity Manager
>>
>> 1. A serious memory leak has been fixed
>>
>> 2. Principal names containing numbers are no longer considered
>> invalid
>>
>> 3. Locales other than en_US are now supported
>>
>> 4. Arbitrary sort ordering of credentials
>>
>> 5. Support for FILE: ccaches
>>
>> 6. Credential properties may be selected by the user for display
>>
>> 7. User selected font support
>>
>> 8. Tool Tip support added to the Toolbar
>>
>> 9. Identities can be added without obtaining credentials
>>
>> 10. Kerberos 5 Realm editor has been added
>>
>> * The MSLSA: ccache is disabled in WOW64 environments prior to Microsoft
>> Windows Vista Beta 2 (Windows XP 64, 2003 64, etc.)
>>
>> * The installers are built using the latest toolkit versions NSIS (2.18)
>> and WIX (2.0.4220.0)
>>
>>
>> Version 3.0 provided several often requested new features:
>>
>> * thread-safe Kerberos 5 libraries (provided by Kerberos 5 release
>> 1.4.4)
>>
>> * a replacement for the Leash Credential Manager called the Network
>> Identity Manager
>>
>> - a visually enticing application that takes advantage of all of the
>> modern XP style User Interface enhancements
>>
>> - supports the management of multiple Kerberos 5 identities in a
>> variety of credential cache types including CCAPI and FILE.
>>
>> - credentials can be organized by credential cache location or by
>> identity
>>
>> - a single identity can be marked as the default for use by
>> applications that request the current default credential cache
>>
>> - Network Identity Manager is built upon the Khimaira Identity
>> Management Framework introduced this past summer at the AFS &
>> Kerberos Best Practices Conference at CMU.
>>
>> - Credential Managers for Kerberos 5 and Kerberos 4 are provided.
>> Credential Managers for other credential types including AFS
>> and KX.509/KCA are available. Contact Secure Endpoints Inc.
>> for details. <https://www.secure-endpoints.com>
>>
>> - The Khimaira framework is a pluggable engine into which custom
>> Identity Managers and Credential Managers can be added.
>> Organizations interested in building plug-ins for the Network
>> Identity Manager may contact Jeffrey Altman at
>> jaltman@secure-endpoints.com
>>
>> * a Kerberos specific WinLogon Network Provider that will use the
>> username and password combined with the MIT Kerberos default realm in
>> an effort to obtain credentials at session logon
>>
>>
>> Important changes since the 2.6.5 release:
>> ==========================================
>>
>> * This release requires 32-bit editions of Microsoft Windows 2000 or
>> higher. Support for Microsoft Windows 95, 98, 98 Second Edition, ME,
>> and NT 4.0 has been discontinued. Users of discontinued platforms
>> should continue to use MIT Kerberos for Windows 2.6.5.
>>
>> * Version 3.0 does not include any internal support for AFS. The
>> aklog.exe utility now ships as a part of OpenAFS for Windows.
>> <http://www.openafs.org/windows.html> The Secure Endpoints Inc. AFS
>> credential manager for the Network Identity Manager has been incorporated
>> into OpenAFS for Windows 1.5.9 and above.
>>
>>
>> Downloads
>> =========
>>
>> Binaries and source code can be downloaded from the MIT Kerberos web site:
>> http://web.mit.edu/kerberos/
>>
>>
>> Acknowledgments
>> ===============
>>
>> The MIT Kerberos team would like to thank Secure Endpoints Inc.
>> <https://www.secure-endpoints.com> for its support during the development
>> of this release.
>>
>>
>>
>> Important notice regarding Kerberos 4 support
>> =============================================
>>
>> In the past few years, several developments have shown the inadequacy
>> of the security of version 4 of the Kerberos protocol. These
>> developments have led the MIT Kerberos Team to begin the process of
>> ending support for version 4 of the Kerberos protocol. The plan
>> involves the eventual removal of Kerberos 4 support from the MIT
>> implementation of Kerberos.
>>
>> The Data Encryption Standard (DES) has reached the end of its useful
>> life. DES is the only encryption algorithm supported by Kerberos 4,
>> and the increasingly obvious inadequacy of DES motivates the
>> retirement of the Kerberos 4 protocol. The National Institute of
>> Standards and Technology (NIST), which had previously certified DES as
>> a US government encryption standard, has officially announced[1] the
>> withdrawal of the Federal Information Processing Standards (FIPS) for
>> DES.
>>
>> NIST's action reflects the long-held opinion of the cryptographic
>> community that DES has too small a key space to be secure. Breaking
>> DES encryption by an exhaustive search of its key space is within the
>> means of some individuals, many companies, and all major governments.
>> Consequently, DES cannot be considered secure for any long-term keys,
>> particularly the ticket-granting key that is central to Kerberos.
>>
>> Serious protocol flaws[2] have been found in Kerberos 4. These flaws
>> permit attacks which require far less effort than an exhaustive search
>> of the DES key space. These flaws make Kerberos 4 cross-realm
>> authentication an unacceptable security risk and raise serious
>> questions about the security of the entire Kerberos 4 protocol.
>>
>> The known insecurity of DES, combined with the recently discovered
>> protocol flaws, make it extremely inadvisable to rely on the security
>> of version 4 of the Kerberos protocol. These factors motivate the MIT
>> Kerberos Team to remove support for Kerberos version 4 from the MIT
>> implementation of Kerberos.
>>
>> The process of ending Kerberos 4 support began with release 1.3 of MIT
>> Kerberos 5. In release 1.3, the default run-time configuration of the
>> KDC disables support for version 4 of the Kerberos protocol. Release 1.4
>> of MIT Kerberos continues to include Kerberos 4 support (also disabled
>> in the KDC with the default run-time configuration), but we intend to
>> completely remove Kerberos 4 support from some future release of MIT
>> Kerberos.
>>
>> The MIT Kerberos Team has ended active development of Kerberos 4,
>> except for the eventual removal of all Kerberos 4 functionality. We
>> will continue to provide critical security fixes for Kerberos 4, but
>> routine bug fixes and feature enhancements are at an end.
>>
>> We recommend that any sites which have not already done so begin a
>> migration to Kerberos 5. Kerberos 5 provides significant advantages
>> over Kerberos 4, including support for strong encryption,
>> extensibility, improved cross-vendor interoperability, and ongoing
>> development and enhancement.
>>
>> If you have questions or issues regarding migration to Kerberos 5, we
>> recommend discussing them on the kerberos@mit.edu mailing list.
>>
>> References
>>
>> [1] National Institute of Standards and Technology. Announcing
>> Approval of the Withdrawal of Federal Information Processing
>> Standard (FIPS) 43-3, Data Encryption Standard (DES); FIPS 74,
>> Guidelines for Implementing and Using the NBS Data Encryption
>> Standard; and FIPS 81, DES Modes of Operation. Federal Register
>> 05-9945, 70 FR 28907-28908, 19 May 2005. DOCID:fr19my05-45
>>
>> [2] Tom Yu, Sam Hartman, and Ken Raeburn. The Perils of
>> Unauthenticated Encryption: Kerberos Version 4. In Proceedings of
>> the Network and Distributed Systems Security Symposium. The
>> Internet Society, February 2004.
>> http://web.mit.edu/tlyu/papers/krb4peril-ndss04.pdf
>>
>
> _______________________________________________
> kerberos-announce mailing list
> kerberos-announce@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos-announce
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
Thank you for the report

(my confidence in this release is growing.)