Kerberos for Windows 3.2.2 is released
Tom Yu
tlyu at MIT.EDU
Mon Oct 22 20:13:42 EDT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The MIT Kerberos Development Team and Secure Endpoints Inc. are proud to
announce the release of MIT's Kerberos for Windows product,
Version 3.2.2.
Please send bug reports and feedback to kfw-bugs at mit.edu.
Supported Versions of Microsoft Windows
=======================================
This release requires 32-bit editions of Microsoft Windows 2000 and
higher or the WOW64 environment of 64-bit editions of Microsoft
Windows XP and higher.
Downloads
=========
Binaries and source code can be downloaded from the MIT Kerberos web site:
http://web.mit.edu/kerberos/dist/index.html
What's New in KFW 3.2.2:
========================
* Network Identity Manager Application
o Application window always raised when prompting for new credentials,
so prompt is not obscured by other windows.
o Password entry field accepts 1024 characters.
o Add --show and --hide command line options.
o Defines a new color schema. Color values are no longer imported from
the user's desktop theme.
o Notification icon reflects status of the default identity instead of
all identities.
* Credential Cache API changes
o The CCAPI implementation is now compatible with Windows Terminal
Server.
* Kerberos v5 Library Improvements
o Based on krb5-1.6.3.
o MSLSA: ccache properly translates Unicode strings to the local ANSI
character set.
o krb5_get_profile() is exported from krb5_32.dll.
* Installer Changes
o Remove the registration requirement for administrative installations
when using the MSI installer.
o MSVC DLLs include DST 2007 changes.
* Build system changes
o NIM Schema files can now support external file inclusion.
o Add static ordinals to DLL exports.
o krbcc credential cache api implementation can now be compiled with
Microsoft Visual Studio 2005.
o Enable builds on 64 bit Windows.
What's New in KFW 3.2.1:
========================
* Network Identity Manager Application
o The default identity background color has been removed.
o The Basic view updates to reflect deleted and modified identities.
o The watermark can be controlled by a registry setting.
* Kerberos v5 Library Improvements
o Based on krb5-1.6.2
What's New in KFW 3.2.0:
========================
* Network Identity Manager Application
o A simplified basic mode has been added to the "obtain new
credentials dialog". The basic mode replaces the credential
browser with a button that can be used to access the advanced
configuration functions. This advanced mode provides the
credential browser and a tabbed view of the configuration
dialogs for each of the available credential providers.
o A simplified default application view that shows only the
status of the active identities.
o A new command-line option to netidmgr.exe is available to
shutdown a running instance of Network Identity Manager.
Specify "-x" or "--exit" to force the existing instance to
terminate.
o The use of ellipsis on menu items now follows the Windows
Style Guide. Ellipsis is only used when additional information
is required from the user before carrying out the designated
action. If displaying a dialog is the action, no ellipsis
is used.
o Improved handling of window focus when opening and closing
modal dialogs.
o Reduce the number of alerts presented to the user by combining
duplicates into a single alert.
o Do not generate alerts if there is nothing that the user
can do to correct the situation. Alerts that are displayed
provide actions the user can take if desired.
o Renew and Destroy menus provide "All" and "Individual identity
names" as choices.
o The Renew and Destroy toolbar buttons provide dropdown menus
permitting the action to be applied to either "All" or one
specific identity.
o The "default" action of left clicking the notification icon
is now configurable. The default configuration is "open/close
NIM window". The alternate is to open the new credentials
dialog. This can be specified by the user on the General
Options page.
o The alerter window can now display multiple alerts simultaneously.
o Ensure that the NIM window is displayed on an active desktop.
If not, move it to the primary desktop and center it.
o New Basic mode display that shows only the state of the
identity and its expiration time. Use F7 or View->Advanced
to switch to the previous display that is configurable by the
user to show details about each credential.
o New Color Scheme derived from current Windows Desktop Color
Scheme.
o Improved display updating algorithms reduce flicker
o The proper icon sizes are now used in the information bubble
and the status bar.
o Task Bar buttons are created for visible windows and dialogs
o Plug-in Help can now be added to the Help menu
o Improved HtmlHelp user documentation with Indexing
o Improved HtmlHelp developer documentation with Indexing
o Improved PDF user documentation
* Network Identity Manager Kerberos v5 Support
o Do not show cached prompts to user if they have expired
o Correct the possibility that a krb5_ccache handle might be
freed twice.
o Import settings from Kerberos Profile if there are no equivalent
defaults specified in the registry. Support per-realm settings.
o An identity that matches the MSLSA will not renew its credentials
from the MSLSA if the user obtained the credentials from
elsewhere.
o When importing an identity from the MSLSA that has never been
seen before, create an entry in the identity database.
o Do not attempt to renew non-renewable identities
o Permit an identity to be configured as the default identity
even if it doesn't have any credentials.
* Kerberos v5 Library Improvements
o Based on MIT release 1.6+
o On Vista MSLSA: krb5_ccache can be used to store tickets
including TGTs for alternative principals to the LSA credential
cache
o On Vista a more efficient interface for enumerating the contents
of the LSA credential cache is available.
o Vista support is only built if the Vista SDK version of
NTSecAPI.H is used.
o On Vista, if a process is UAC limited, the MSLSA will report
that no tickets are present in the cache rather than return
tickets with invalid session keys.
o get_os_ccname() uses GetEnvironmentVariable() instead of
getenv() to read the KRB5CCNAME environment variable. This
allows the correct default credential cache name to be returned
by krb5_cc_default_name(). This works around a problem where a
gssapi application would trigger an Obtain New Credentials prompt
from NIM only to have it obtain the wrong credential cache.
* Winsock Helper Library Improvements
o DNS queries that terminate with a dot would not properly match
the hostnames listed within the DNS response preventing a
successful return. This resulted in "kinit -4" failing to find
the KDCs.
* Integrated Logon Improvements
o Remove the reliance on the Windows Logon Event handler and
replace it with a LogonScript that executes kfwlogon.dll via a
call to rundll32.exe. This change permits the integrated logon
functionality to work on all supported platforms: Windows 2000
to Windows Vista.
o Disable the use of integrated logon if the Network Provider is
called as a result of a non-interactive logon. The non-interactive
logon does not process the specified LogonScript. As a result,
the intermediate credential cache file would not be processed
nor cleaned up.
o Obtained credentials are stored into an API credential cache
whose name is API:<principal>
o Add a debugging mode which when activated logs to the Windows
Application Event Log.
[HKLM\System\CurrentControlSet\Services\MIT Kerberos\NetworkProvider]
DWORD "Debug"
* Leash32 Library Changes
o Modify the leash functions to use krb5_string_to_deltat() to
parse ticket_lifetime and renew_lifetime from the profile.
Previously the leash functions expected those fields to be
integer representation of minutes without the use of any units.
This change is for consistency with KFM and the rest of the krb5
library.
o Modify the private functions acquire_tkt_for_princ() and
acquire_tkt_no_princ() that are called from gssapi32.dll so that
they will work on Windows Vista and so that the MSLSA: principal
is only imported if it matches the default identity and no
credentials for that identity are present.
o Remove all AFS functionality.
Microsoft Vista User Account Control (UAC)
==========================================
Microsoft Vista UAC mode prevents accounts that are members of the
local Administrators group from accessing Kerberos session keys from
the LSA credentials cache. The MIT Kerberos MSLSA krb5_ccache type
will not report the existence of Kerberos tickets which do not have
valid session keys.
Users are encouraged to login to Microsoft Vista with accounts
that are not members of the local machine Administrators group in
order to obtain the best single sign-on experience with MIT Kerberos
for Windows and Network Identity Manager.
Important notice regarding Kerberos 4 support
=============================================
In the past few years, several developments have shown the inadequacy
of the security of version 4 of the Kerberos protocol. These
developments have led the MIT Kerberos Team to begin the process of
ending support for version 4 of the Kerberos protocol. The plan
involves the eventual removal of Kerberos 4 support from the MIT
implementation of Kerberos.
The Data Encryption Standard (DES) has reached the end of its useful
life. DES is the only encryption algorithm supported by Kerberos 4,
and the increasingly obvious inadequacy of DES motivates the
retirement of the Kerberos 4 protocol. The National Institute of
Standards and Technology (NIST), which had previously certified DES as
a US government encryption standard, has officially announced[1] the
withdrawal of the Federal Information Processing Standards (FIPS) for
DES.
NIST's action reflects the long-held opinion of the cryptographic
community that DES has too small a key space to be secure. Breaking
DES encryption by an exhaustive search of its key space is within the
means of some individuals, many companies, and all major governments.
Consequently, DES cannot be considered secure for any long-term keys,
particularly the ticket-granting key that is central to Kerberos.
Serious protocol flaws[2] have been found in Kerberos 4. These flaws
permit attacks which require far less effort than an exhaustive search
of the DES key space. These flaws make Kerberos 4 cross-realm
authentication an unacceptable security risk and raise serious
questions about the security of the entire Kerberos 4 protocol.
The known insecurity of DES, combined with the recently discovered
protocol flaws, make it extremely inadvisable to rely on the security
of version 4 of the Kerberos protocol. These factors motivate the MIT
Kerberos Team to remove support for Kerberos version 4 from the MIT
implementation of Kerberos.
The process of ending Kerberos 4 support began with release 1.3 of MIT
Kerberos 5. In release 1.3, the default run-time configuration of the
KDC disables support for version 4 of the Kerberos protocol. Release 1.4
of MIT Kerberos continues to include Kerberos 4 support (also disabled
in the KDC with the default run-time configuration), but we intend to
completely remove Kerberos 4 support from some future release of MIT
Kerberos.
The MIT Kerberos Team has ended active development of Kerberos 4,
except for the eventual removal of all Kerberos 4 functionality. We
will continue to provide critical security fixes for Kerberos 4, but
routine bug fixes and feature enhancements are at an end.
** The MIT Kerberos Team has decided that the MIT Kerberos for
** Windows 3.x release series will be the last versions to contain
** Kerberos 4 support. Beginning with 4.0 release, MIT Kerberos for
** Windows will be Kerberos 5 only. At that time MIT will repackage
** the existing Kerberos 4 libraries in a stand-alone installer for
** those organizations that require continued use of Kerberos 4.
We recommend that any sites which have not already done so begin a
migration to Kerberos 5. Kerberos 5 provides significant advantages
over Kerberos 4, including support for strong encryption,
extensibility, improved cross-vendor interoperability, and ongoing
development and enhancement.
If you have questions or issues regarding migration to Kerberos 5, we
recommend discussing them on the kerberos at mit.edu mailing list.
References
[1] National Institute of Standards and Technology. Announcing
Approval of the Withdrawal of Federal Information Processing
Standard (FIPS) 43-3, Data Encryption Standard (DES); FIPS 74,
Guidelines for Implementing and Using the NBS Data Encryption
Standard; and FIPS 81, DES Modes of Operation. Federal Register
05-9945, 70 FR 28907-28908, 19 May 2005. DOCID:fr19my05-45
[2] Tom Yu, Sam Hartman, and Ken Raeburn. The Perils of
Unauthenticated Encryption: Kerberos Version 4. In Proceedings of
the Network and Distributed Systems Security Symposium. The
Internet Society, February 2004.
http://web.mit.edu/tlyu/papers/krb4peril-ndss04.pdf
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (SunOS)
iQCVAwUBRx08uabDgE/zdoE9AQLnnwQAzFEur1GLzeHKBdyg5TAzFyuWf0GrEe/L
oVh+i6Bb8RteA/KEVNvcErQdTxqY1iuJja4ylBRiTP1EzOEtBNtndstD+5Wzwc0x
+YyVzORx0NuDfOwbQhpY3OO3zJsiCUfHVPiulUPVp9ZPdvjRNXkFvTkIbqBXHZts
NIn2k7hUAc0=
=oy7f
-----END PGP SIGNATURE-----
More information about the kerberos-announce
mailing list