Operating Systems & Kerbros

Jose Marques noway at nohow.demon.co.uk
Mon Feb 17 04:53:11 EST 2003

On Fri, 14 Feb 2003, Sam Hartman wrote:

> The reason this security decrease is necessary is a rather unfortunate
> bug in both the MIT KDC and the MIT client codebase. It's bug 1006 in
> our database.
> The only good news about this issue is that once the bug is fixed,
> upgrading either the KDC or the client should be sufficient to work
> around the problem.

Can you tell me which version to update to?  At work we've been
experimenting with Kerberos and have seen something that looks related.
We have used 1.2.5 upgrading through to 1.2.7 (kdc on FreeBSD 4.x using
stock source apart from a patch to make the kdc use cracklib).  It worked
fine at first but at some point we found that authentication stopped
working (eg. kerberised ssh worked with userid and kerberos password login
but not using tickets, total failure for Solaris console/cde logins using
pam_krb5).  Turning off pre-authentication got things working but a quick
check shows setting -e des:normal does the same thing without the need to
disable preauthentication.  Our kdc.conf lists des3 before des.

Jose Marques

More information about the Kerberos mailing list