From tlyu at MIT.EDU Wed Jul 9 00:51:42 2003 From: tlyu at MIT.EDU (Tom Yu) Date: Tue Jul 8 23:53:30 2003 Subject: krb5-1.3 is released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.3. Please see below for a list of some major changes since krb5-1.2.8, or consult the README file in the source tree for a more detailed list of significant changes. RETRIEVING KERBEROS 5 RELEASE 1.3 ================================= You may retrieve the Kerberos 5 Release 1.3 source from the following URL: http://web.mit.edu/network/kerberos-form.html The homepage for the krb5-1.3 release is: http://web.mit.edu/kerberos/www/krb5-1.3/ Further information about Kerberos 5 may be found at the following URL: http://web.mit.edu/kerberos/www/ MAJOR CHANGES SINCE RELEASE 1.2.8 ================================= * We now install the compile_et program, so other packages can use the installed com_err library with their own error tables. (If you use our com_err code, that is; see below.) * The header files we install now assume ANSI/ISO C ('89, not '99). We have stopped testing on SunOS 4, even with gcc. Some of our code now has C89-based assumptions, like free(NULL) being well defined, that will probably frustrate any attempts to run this code under SunOS 4 or other pre-C89 systems. * Some new code, bug fixes, and cleanup for IPv6 support. Most of the code should support IPv6 transparently now. The RPC code (and therefore the admin system, which is based on it) does not yet support IPv6. The support for Kerberos 4 may work with IPv6 in very limited ways, if the address checking is turned off. The FTP client and server do not have support for the new protocol messages needed for IPv6 support (RFC 2429). * We have upgraded to autoconf 2.52 (or later), and the syntax for specifying certain configuration options have changed. For example, autoconf 2.52 configure scripts let you specify command-line options like "configure CC=/some/path/foo-cc", so we have removed some of our old options like --with-cc in favor of this approach. * The client libraries can now use TCP to connect to the KDC. This may be necessary when talking to Microsoft KDCs (domain controllers), if they issue you tickets with lots of PAC data. * If you have versions of the com_err or ss installed locally, you can use the --with-system-et and --with-system-ss configure options to use them rather than using the versions supplied here. Note that the interfaces are assumed to be similar to those we supply; in particular, some older, divergent versions of the com_err library may not work with the krb5 sources. Many configure-time variables can be used to help the compiler and linker find the installed packages; see the build documentation for details. * The AES cryptosystem has been implemented. However, support in the Kerberos GSSAPI mechanism has not been written (or even fully specified), so it's not fully enabled. See the documentation for details. ========================= Tom Yu MIT Information Systems Kerberos Development Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (SunOS) Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard iQCVAwUBPwuRUqbDgE/zdoE9AQFWUgP+Ihe3T2yFnQL+1kqfZS9tE9fyUrWz1396 s+kHvky6IIZoXpeIVg42ItQDb+ZChBbYHfsTL8IPZlh6uBaPQ6MgJS0EVrOgAzj8 rdL8ZvzFgaYoWgLK4Af68zKn6cFQoCb0ZsKgZuDOGHyewzfvJfi3mbFtubvRCTLy aua5KgDgF10= =C7sa -----END PGP SIGNATURE----- From tlyu at MIT.EDU Thu Jul 10 16:24:15 2003 From: tlyu at MIT.EDU (Tom Yu) Date: Thu Jul 10 15:40:13 2003 Subject: MIT Kerberos for Windows 2.5 beta 3 is released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- The MIT Kerberos Team announces the availability of MIT Kerberos for Windows 2.5 beta 3, the first public testing release. Major new features of this release include: - - Based on MIT Kerberos v5 1.3 - - Numerous enhancements to Leash Please consult the Release Notes file for further details on changes. The distribution packages and Release Notes are available from the authorized downloads link on the MIT Kerberos web page, -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (SunOS) Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard iQCVAwUBPw29Y6bDgE/zdoE9AQHqAQQA0h+TdLIs6bO8S018UAutfnuHvh+8tANF 6dZzJcCWuw36+qHnizg24RSBU8MeALoETl5sEcvgMXL7T0zt2Pi2wwQZV96TF0tj TrirqcugZIWQDJrJyTKNRHK7ct1ZnzPtqw4kVBaBJstIA+KDEB5e8pUYm6zOpoij +S93GRvfuuk= =N3MS -----END PGP SIGNATURE----- From tlyu at MIT.EDU Thu Jul 10 16:27:09 2003 From: tlyu at MIT.EDU (Tom Yu) Date: Thu Jul 10 15:40:13 2003 Subject: Updated Kerberos Extras for Mac OS X is released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MIT Kerberos Team announces the availability of an updated Kerberos Extras for Mac OS X 10.2 and later is now available. Kerberos Extras for Mac OS X allows CFM applications to access the Kerberos functionality built into Mac OS X. This new version of Kerberos Extras installs a CFM support file which works on both Mac OS X 10.2 (Jaguar) and Mac OS X 10.3 (Panther) and supersedes previous Kerberos Extra releases. Further information including download link is available from: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (SunOS) Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard iD8DBQE/Db4TSO8fWy4vZo4RAtGmAKCWBDXux8bIOyVJTt+5N4G4yIViVACcCJYd 9bHXwy+MVeIY/uYQcocPW9M= =z6wl -----END PGP SIGNATURE----- From tlyu at MIT.EDU Thu Jul 24 19:39:03 2003 From: tlyu at MIT.EDU (Tom Yu) Date: Thu Jul 24 18:42:59 2003 Subject: serious protocol interop bug in krb5-1.3 Message-ID: -----BEGIN PGP SIGNED MESSAGE----- The krb5-1.3 release has a serious problem: it fails to correctly implement the ETYPE-INFO2 preauthentication type, in both client and server code. This can cause a failure to obtain tickets. We strongly suggest that krb5-1.3 not be deployed in production systems, especially on client platforms. The upcoming krb5-1.3.1 release should fix this problem. Code older than krb5-1.3 will ignore ETYPE-INFO2 completely. A krb5-1.3 client will fail to get an initial ticket if the following conditions are true: * Client requests an initial ticket from a conforming KDC (e.g., not a krb5-1.3 KDC). * Client receives an ETYPE-INFO2 containing the optional "salt" element. This will only happen if the KDC knows a client principal key that was generated using a non-default salt, e.g., the v4 salt. The krb5-1.3.1 release, currently in beta test, will issue the correct ETYPE-INFO2. For compatibility, the krb5-1.3.1 client library will accept the incorrect ETYPE-INFO2 encoding emitted by a krb5-1.3 KDC. We expect that the final krb5-1.3.1 release will happen next week. NOTE ==== Lack of existing problems in an installation does not indicate that future upgrades will be successful; a krb5-1.3 client may not exhibit any obvious failure modes until attempting to communicate with a KDC that emits the correct ETYPE-INFO2 encoding. Even then, it will only fail if non-default key salts are used. The Kerberos v4 salt is the most common non-default salt, and is frequently present in sites that have migrated from Kerberos v4. DETAILS ======= The underlying problem is that the implementation of ETYPE-INFO2 in krb5-1.3 fails to match the latest internet-draft of the Kerberos protocol specification. The client will erroneously reject a response - From the KDC containing a conforming ETYPE-INFO2, since the client will parse it as containing a malformed ETYPE-INFO2. This prevents a krb5-1.3 client from working with a conforming KDC if one happens to be deployed later. This is documented as ticket #1681 in our bug database. The main MIT Kerberos web page is http://web.mit.edu/kerberos/ Updates on the situation will be posted there. ========================= Tom Yu MIT Information Systems Kerberos Development Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (SunOS) Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard iQCVAwUBPyBgDKbDgE/zdoE9AQGPwgP7BAl+CnT9RVFnZGRBtEcUYCV+PQMTFBvY OaD0ZpBXmZbPsj9iC4zg/xInp5ii4x8CkOaIGuLQZUIUvQRoy8A9BLgI6EdDgtIC RO2K+DJZw0vB/jx5u5Lzmugfjfx/vdZMq/lEKCTyDXNlVNqO31yNnUolsHQqsyb3 nz4nxtwT0cg= =F3Ak -----END PGP SIGNATURE----- From tlyu at MIT.EDU Fri Jul 25 15:57:28 2003 From: tlyu at MIT.EDU (Tom Yu) Date: Fri Jul 25 14:58:58 2003 Subject: MIT Kerberos for Windows 2.5 beta 4 is released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- The MIT Kerberos Team announces the availability of MIT Kerberos for Windows 2.5 beta 4, the second public testing release. Major new features of this release include: - - Based on MIT Kerberos v5 1.3.1 beta 1 - - Numerous enhancements to Leash - - Several compatibility problems were fixed from KfW 2.5 beta 3 Please consult the Release Notes file for further details on changes. The distribution packages and Release Notes are available from the authorized downloads link on the MIT Kerberos web page, -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (SunOS) Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard iQCVAwUBPyF9m6bDgE/zdoE9AQGjdAP/RJvkATUihpfpWjk4VnY42+Aa8IVX2StW IJsq7+tx+p5ITAp2sxluZwg6X4mthajH6vVx1jnZTviX7d9lqfZL5NvvYsTWyZpS u2cDXeScMao2idsla+bmZ3tOAsBR1Ip7Tnk8l+Ueh/jdsN0NGDxJxBz3RhcJ6vdj x6vr012zu1U= =fSvn -----END PGP SIGNATURE----- From tlyu at MIT.EDU Fri Aug 1 16:22:27 2003 From: tlyu at MIT.EDU (Tom Yu) Date: Fri Aug 1 15:25:01 2003 Subject: krb5-1.3.1 is released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.3.1. Please see below for a list of some major changes since krb5-1.3, or consult the README file in the source tree for a more detailed list of significant changes. RETRIEVING KERBEROS 5 RELEASE 1.3.1 =================================== You may retrieve the Kerberos 5 Release 1.3.1 source from the following URL: http://web.mit.edu/network/kerberos-form.html The homepage for the krb5-1.3.1 release is: http://web.mit.edu/kerberos/krb5-1.3/ Further information about Kerberos 5 may be found at the following URL: http://web.mit.edu/kerberos/ MAJOR CHANGES SINCE RELEASE 1.3 =============================== * The incorrect encoding of the ETYPE-INFO2 preauthentication hint is no longer emitted, and the both the incorrect and the correct encodings of ETYPE-INFO2 are now accepted. We STRONGLY encourage deploying krb5-1.3.1 in preference to 1.3, especially on client installations, as the 1.3 release did not conform to the internet-draft for the revised Kerberos protocol in its encoding of ETYPE-INFO2. * The non-caching getaddrinfo() API on Mac OS X, which was causing significant slowdowns under some circumstances, has been worked around. ========================= Tom Yu MIT Information Systems Kerberos Development Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (SunOS) Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard iQCVAwUBPyq99qbDgE/zdoE9AQGjCAP/T8NYQ7Z8V1qMLB7BdB1B40m8nhM03WGx S0Yi+4QMYjItvL0rZeombdyyTYqcIZvZdLZPv5CAmkKqnPGqY3J0MaiD2B9kHOTX y2Hw5UXHh+5LGbz7gK3JpJRJ+5E/NPVITPuMGBmBzhSGA+uyoniWPNN6dy5txXdt 4DVA4mg2wZE= =72pm -----END PGP SIGNATURE----- From tlyu at MIT.EDU Thu Aug 7 14:12:40 2003 From: tlyu at MIT.EDU (Tom Yu) Date: Thu Aug 7 13:14:51 2003 Subject: MIT Kerberos for Windows 2.5 beta 5 is released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- The MIT Kerberos Team announces the availability of MIT Kerberos for Windows 2.5 beta 5, the third public testing release. Major new features of this release include: - - Based on MIT Kerberos v5 1.3.1 - - Continued refinements to Leash Please consult the Release Notes file for further details on changes. The distribution packages and Release Notes are available from the authorized downloads link on the MIT Kerberos web page, -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (SunOS) Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard iQCVAwUBPzKIjKbDgE/zdoE9AQFVjwQAxuLgzgVAb19cEu/q4DDmMTSOVBAc0pvn byxYNY6zI+hkoBqHucwKUBWGx6zRh3Y4yNwBDOG2ZxS4UO5/Hsl44p331oFsO9dv mqSkWH89MSDRutnvU//3NK2G+I2UHK9ZQuf69vNchb4LDraLJMyCkUAvKAP85RaT bPIMWuDyzHM= =2o2p -----END PGP SIGNATURE----- From tlyu at MIT.EDU Mon Aug 11 16:08:32 2003 From: tlyu at MIT.EDU (Tom Yu) Date: Mon Aug 11 15:09:56 2003 Subject: MIT Kerberos for Windows 2.5 is released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- The MIT Kerberos Team is pleased to announce the immediate availability of MIT Kerberos for Windows 2.5. Major new features of this release include: - - Based on MIT Kerberos v5 1.3.1 - - Numerous improvements to Leash including: + MS LSA integration + krb524 support + addressless tickets + auto-ticket renewal + a new "sleek" look Please consult the Release Notes file included in the distribution package for further details on changes. The distribution packages and Release Notes are available from the authorized downloads link on the MIT Kerberos web page, -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (SunOS) Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard iQCVAwUBPzfptKbDgE/zdoE9AQGWhwP9EyRUhiqMzN/9zH8z1AFHJGlCWv2X9n5V U1ZdvsvpbbBWqH961ca2E28T2+x59g3XsETvnavG3BVe0AnjKPdKUwXhlxGZjWfq HZZQt0abYf393k4SD59awB4bRDbX74COA77381fzSY0+kgVERCg5NB+J04LQ0vFC mYk6EJPmoF8= =Akhh -----END PGP SIGNATURE-----