Updated NAT fixes
Sam Hartman
hartmans at MIT.EDU
Thu Apr 11 11:01:01 EDT 2002
>>>>> "Steven" == Steven Michaud <smch at midway.uchicago.edu> writes:
Steven> Here are updated versions of some of the patches I
Steven> submitted to this list in August, 2001.
If you want patches evaluated for inclusion, please open
change-request bug reports (or sw-bug bug reports for actual bugs)
rather than just sending the patches here. Krbdev is a great place to
talk about patches, or let people know how you've solved a problem.
However, especially in cases where we don't see any issues needing
discussion, we may defer evaluating the patch until we approach a
release. If that happens there is a much higher probability we'll
deal with a patch that has an associated bug rather than discussion
here.
Steven> For some time, MIT Kerberos 5 has (rather grudgingly)
Steven> included support for addressless tickets.
Recently, our attitude towards addressless tickets and NAT has
changed. This corresponds to the recognition of a similar change
within the Kerberos working group of the IETF. We noticed that none
of the proponents of address checking were still actively involved, or
at least those still involved had realized address checking really
didn't buy you much. A future release of MIT Kerberos will likely
default to addressless tickets.
Supporting NATs while also supporting address checking is fairly
difficult and the prevailing thought in the MIT Kerberos development
team years ago was that it was a hard problem and that you weren't
going to solve it. Keep in mind that then, people tended to rely on
rsh and rcp, which you cannot really make NAT safe without
cooperation of the NAT. Now, with the availability of ssh, it is
reasonable to actually make all the parts of Kerberos people use NAT
safe.
We will keep the address checking in krb_priv and krb_safe because
removing this checking opens you to a reflection attack.
I think that rather than applying your patches, I'll simply disable
channel bindings completely in the ftpd. This is consistent with what
ssh and SASL do.
Steven> A client behind
Steven> a NAT can request an addressless TGT. Service tickets
Steven> acquired with this TGT are also addressless. When they're
Steven> used, in principle all client-address-checking is turned
Steven> off in the Kerberized application server. In exchange for
Steven> a small erosion of security, a client gains the ability to
Steven> do Kerberos from behind a NAT. The current MIT support
Steven> for addressless tickets works fine with some application
Steven> servers -- notably UW's IMAP server. But using an
Steven> addressless ticket doesn't turn off all
Steven> client-address-checking in MIT's own ftpd. (Nor did it in
Steven> telnetd. But with the removal of all address checking
Steven> from rd_cred, the only remaining address checking takes
Steven> place in rd_req (actually in rd_req_dec), and that does
Steven> work properly -- it only does address checking if the
Steven> service ticket has addresses in it.)
Steven> The ftpd patch I submitted in August gave ftpd two new
Steven> parameters -- '-b' to turn off channel bindings (the
Steven> GSSAPI version of address checking), and '-B' (the
Steven> default) to turn (or leave) it on. This version of ftpd
Steven> either turned address checking off for all users (whether
Steven> or not they're using addressless tickets) or turned it on
Steven> for all users. Turning address checking off for all users
Steven> was (and is) acceptable, because address checking doesn't
Steven> actually increase your security much (more on this topic
Steven> below).
Steven> But now I've found a way to tie address checking to the
Steven> presence or absence of addresses in the service ticket
Steven> contained in gss_accept_context()'s input_token parameter.
Steven> This is better, but it requires yet another change to
Steven> gss_accept_context(), and possibly a revision to the
Steven> GSSAPI RFC. (I add a definition of
Steven> GSS_C_CHANNEL_BINDINGS_FOLLOW_TICKET to gssapi.h, and use
Steven> it as a signal (in the application_data field of
Steven> gss_accept_context()'s input_chan_bindings parameter) that
Steven> gss_accept_context() should ignore channel bindings.)
Steven> I've attached all my patches to this message as zip files.
Steven> krb5-1.2.4-delegation-channelbinding-patch can be applied
Steven> to either releases 1.2.3 or 1.2.4.
Steven> krb5-1.2.5b1-channelbinding-patch is meant for release
Steven> 1.2.5 beta 1. They're functionally equivalent, but
Steven> krb5-1.2.4-delegation-channelbinding-patch contains a
Steven> couple of fixes that exist in 1.2.5 beta 1 but weren't
Steven> present in previous releases.
Steven> krb5-1.2.4-ftpd-channelbinding-followtkt-patch is the
Steven> version of my ftpd patch that follows the new design (it
Steven> turns channel bindings on or off according to the presence
Steven> or absence of addresses in the service ticket). It can be
Steven> applied to release 1.2.3, 1.2.4 or 1.2.5 beta 1. On
Steven> releases 1.2.3 and 1.2.4 it requires
Steven> krb5-1.2.4-delegation-channelbinding-patch. On release
Steven> 1.2.5 beta 1 it requires
Steven> krb5-1.2.5b1-channelbinding-patch.
Steven> krb5-1.2.4-ftpd-channelbinding-params-patch is the version
Steven> of my ftpd patch that follows the old design (it uses
Steven> command line parameters to turn channel binding off or
Steven> on). It can be applied to release 1.2.3, 1.2.4 or 1.2.5
Steven> beta 1. On releases 1.2.3 and 1.2.4 it requires
Steven> krb5-1.2.4-delegation-channelbinding-patch. On release
Steven> 1.2.5 beta 1 it doesn't require anything else (though the
Steven> presence of krb5-1.2.5b1-channelbinding-patch doesn't
Steven> interfere with it).
Steven> I have detailed comments inside the patches themselves.
Steven> Please let me know if you have any questions or comments.
Steven> Is there any chance that one of my ftpd fixes (or
Steven> something like it) will make it into release 1.2.5, or a
Steven> release in the 1.2 series? :-)
Steven> Addendum
Steven> How much is your security eroded when all address checking
Steven> is turned off in the application server (whether because
Steven> you've chosen to use addressless tickets or for some other
Steven> reason)? As someone on this list already pointed out, the
Steven> server's replay cache should be able to catch tickets that
Steven> have been stolen in transit. But someone could still
Steven> break into your computer (i.e. connect as root or as you)
Steven> and steal your ticket cache. If that cache already
Steven> contained service tickets for the services whose
Steven> client-address-checking had been disabled, the hacker
Steven> could connect as you to those services from any other
Steven> computer (not just your own), for the lifetime of the
Steven> tickets. (If your TGT was addressless, he could also get
Steven> new service tickets from any other computer, though with
Steven> the same lifetime.) However, if the hacker could spoof
Steven> your computer's ip address, he could connect as you from
Steven> other computers even to services whose
Steven> client-address-checking hadn't been disabled. And he
Steven> might be perfectly happy to do his mischief from your
Steven> computer (he might even prefer it). So the degree to
Steven> which security is eroded depends on how difficult it is
Steven> for the hacker to spoof your computer's ip address and how
Steven> inconvenient it is for him to do further hacking from your
Steven> computer as opposed to some other computer.
Steven> ---559023410-851401618-1018478530=:323 Content-Type:
Steven> APPLICATION/ZIP;
Steven> name="krb5-1.2.4-delegation-channelbinding-patch.zip"
Steven> Content-Transfer-Encoding: BASE64 Content-ID:
Steven> <Pine.GSO.4.21.0204101742100.323 at kilroy.uchicago.edu>
Steven> Content-Description: Content-Disposition: attachment;
Steven> filename="krb5-1.2.4-delegation-channelbinding-patch.zip"
Steven> UEsDBBQAAAAIAE1xiixoKYM4jQkAAJIeAAAqABUAa3JiNS0xLjIuNC1kZWxl
Steven> Z2F0aW9uLWNoYW5uZWxiaW5kaW5nLXBhdGNoVVQJAAMijrQ8Bru0PFV4BABk
Steven> AAoAzVlrU9tIFv0cfsUNU0VsEMYPSDApskWImWWHIVM22an9pGpLbbsHWfJI
Steven> bRxXKv99z+3W0w8gyW7NqBIjS92nb997+t7TbV+NRnTo0WFMSew1osA/CtTw
Steven> aJwkYqaOxjKUsfLSr42JCrnV4y129vf3n4f14nfp05UcUvsNtbpnrZOzTpva
Steven> zWZ75/Dw8OmBTPeLWUytJrXaZ53Ts2bXdt+vXsaidrvrtDvHZB4wvnlw3CLc
Steven> H+4Q/eTLkQol/TwYuJdu79ff7v7jvv90ddXr05emQ7efbm6+ohn+He3vHBDt
Steven> 04XvwwAdUTKfzaJYk16qcEx6IimR8YOMXyU0TyRFI/ImIgxlQEMV+miTcC+0
Steven> szizWCYy9NAwJjFMb0ckfB8vEpkQvJ6BKrzTyruXGk8T5acQcIorPE/OtJtI
Steven> z/WiUMvPulZ/xZ1nc+3q6F6GNBOxmEot44bpdoTP6rQv/3lxe9u7cd9f3364
Steven> vv154F59vLn5+Lt7d335S++OarWHSCFkF33ar1Orjv74B38QGzGIppJEAPhQ
Steven> aEkhhkpoxJMiL5rPAjMrnogYRg+SHkQwl0mD6G6C+ZOIJVlbfAvHPf/dQtfp
Steven> TGg1VIHSy4Z5dbTjP8ra+3h4crTujoa3yqmtDbdxeGuHb6Ly4ygZo4/Pmqdn
Steven> J83tjD5tOaenls8pL+mD9CJfOnCkFy9nmkToU6IjuJb9Do8uRMyk9WLp57wK
Steven> Ik8E5HnCm8gGe5fQBy73iA11ZRxHscu4Oy8p9l1gugbTHfFzRqqlM3AAOZyP
Steven> HIpAOX5T53jhMkBpI0r/vi2/84UWtG96V54zsRnIVb6raT/D5TZfjGvZCd1s
Steven> Df9NnCDmeuJ+n0sOindllArkjztuE5u6LafVPMnoVFhoPJI6hs5NHnxkIL5b
Steven> aQWLkREyNDeaJfZ+ar+8hUOfnnOO+ZLS9mqEdBRLjTSCl5XergqVLsKxVwaq
Steven> 1+sAeIGO8zhM+9ffWu6smYHVqUeBGG+NbdN23WoRmMIeeYIae4Y/tsbAPsZ7
Steven> MY5QIrxAinA+K5kHet9EOuFMeh/M/TEXnHHEn1FIExnLRqNhE7EvlobYaeQU
Steven> hoxHwpMpEK6FClCRJMVyESutJS+EaD6eMPt5aXXbTqvTydbW34ERoVykD/Tn
Steven> EiPyxpgk0q6JmBvFY+O3gzw2W8gyfiLGezlevZ6i8WUZRBb07Y+zB5F9byOm
Steven> FcJXpg+phJCdAtxxiKkmRnBg3iSWf9JEJAilDFMwXGkHFRZBWS85dceMuHsv
Steven> l0NkwPtdGikZ+KBXAVSJAP8VUB6o6bPIcCqVMlAnSaJAQkA5JuWyvslBdmM5
Steven> jbR0k/kQDbJhpmo8yTEBmWHYVpAGPQWUuGKONmqhZsxeAUWQFXRREr7ShhtI
Steven> utx9oRK5Yk0+33pqw0RAkbADWbEZUQcZZqoHD5Te4wUUlF41h37pv3cv+70P
Steven> BMGTiDEPJkquWq86MtRKBKn2KbD+JR4EXfJIkfHgQHpzrMwlXU+hnqbohYIE
Steven> 99QmWs/Ojo4Wi0VjIX0QWKigAaF0VGD94SXqCGpTfm5M9DSoQ5gtxNII0mQ1
Steven> XlRLi2DhlwLIRKpuQypmmD/MCJZYihC4+ESeUlB7yabofZplOjdHs1pXO2mq
Steven> cVh3Xvx2jUyn8DihQIX3cJIYs+es83+9viMuvFRbTJQ3KbCwKkQwjdAMVF8B
Steven> qpMfMQ3KUVwLk9AllgMCOU9wUwAHmF5g4sNfoujeSPYh51F6UFFgA4Es3L+6
Steven> pNYJ9BoSb4E2nGtaIEcKtsFwK5rHdhYjxKoyvweBm6n4IzKh5s2CnUIJbhAx
Steven> tw2PVIzWvLbZnkqSYGAUETMsXmMlcEjAQt9klAJtgUWFcJq1YVZ3Jj9ohOhM
Steven> EFzgCWb7cLmhsJbsusA4ES+6hDLmWL4keXGx6zBZsdW8FUkyL9tlVs3GQCEG
Steven> 8zBfhAhL7a5MDD+SvOZLwfT0HD5YYv42EW2AtIznChtz4A39eZ68Nj0BaVda
Steven> A4tJhBSyi3rn3cPmXdAKU5zPsjWebfvWRmHLCOuzgCpmUec6WyiH79YL0HM5
Steven> +mN1bkUUlWup0UTlq6o+indP1bcyqK1vj5m2Nttq942zfaahyTIJonHtjbN7
Steven> tSnzEtgPcvB+WEvwJI/Kbm7yV5IBgv4UULrJMJzGSipnVexf08pU/wsU3CaN
Steven> 33oNSfe6Wxb5HJXy1uRFvlVAlMyOgS1OxU4xcbtDKtG3orFZwFapgswiN7O6
Steven> 7Js1TfXVCNFWt+m0ut2yEv1fmV1ZBVuJXrW+0qe0I/k28VeoyscdsPksq+W0
Steven> 269LZ1kneHDypuQhsIVCTy9nMknFqZXbnL/4Ke3bl3BXM22Q6Hjuaboft6HC
Steven> TX0bLeye8SDvP4wiXmykxiFvfu3hEp9uufnR1jldXdwMesWs2M98vNTr9z/2
Steven> a/djVtz5EdVUAcjlrfY84bVe7NKyUKRbNUYYuFcX1zef+j34bJNfOnBD56Tk
Steven> l85p2znGrrbEnCxpcLlMJ/413yeAMwOpNa/GDVM7fAcBFHB1gHPMzrthDrFQ
Steven> ivONwfPO0VhMbRwgx1kbKZDhGAkGljfrRvpQgiCA0nnZtIeOOcJCsKDadjLI
Steven> QDaINsfw89CkpRxgU3BTGWIliqnLCTsrPasM8D/vbo8pk4Y9Z0x5UNsE+vI8
Steven> ddvtxzXP1Wlvr9h1bep++I4rm+KS7bIdht3nGeTFlXt927t7Dsw2lwOr+V39
Steven> LTnOz0u7xmcyJNtpfim6svesSw/foVy5vBNpH77zeMoJ22jqY3WoR1fpXf9T
Steven> 723RnqkPlTZ2M5XjpofWeR+QZmFE9VDEI5SdIFrY2L7YTJbtHkl37gd28R1Q
Steven> KUGVt+UVObZ1e85fAZ6l0Z/gqObG7HDcfuMcd16Xq1+2+PNvd/3exQd3cNev
Steven> zXTsED7aDjLQn8YjKSHKqoajMpVTbzqrrbTNVtR6d+Z708o29pyRsCYL2+9m
Steven> K5BmRLI0HrjvYVVGlazhahpbn81nU7jWTMIEODkev3ntHHc7K8nxx/wBFl2P
Steven> 0kxkDiU8ls6h0Vuwln8OWf0txGGhpEYVYad0uXMlVU2hxmW4KQtVEEoZKctE
Steven> ToYiwuX6LzK8La0gDJelQRqFWKcfyWSIHIfu5faVWU+j+6WqdH+QaCtXmXMr
Steven> 17Pot3KVmFh59/Xbiblx4TJRT9ulnzqME8G14ljfl4Ecm03rBrVnmrMH03k/
Steven> dYC/Z/WPY0biyxhdy8ewx5uImh/IOv2j2mzPNLNa9KzYo6VGb3Vxqmzs0jzp
Steven> dJyTTvl3jf/zjFdy6l85//8CUEsBAhYDFAAAAAgATXGKLGgpgziNCQAAkh4A
Steven> ACoADQAAAAAAAQAAAKSBAAAAAGtyYjUtMS4yLjQtZGVsZWdhdGlvbi1jaGFu
Steven> bmVsYmluZGluZy1wYXRjaFVUBQADIo60PFV4AABQSwUGAAAAAAEAAQBlAAAA
Steven> 6gkAAAAA ---559023410-851401618-1018478530=:323
Steven> Content-Type: APPLICATION/ZIP;
Steven> name="krb5-1.2.5b1-channelbinding-patch.zip"
Steven> Content-Transfer-Encoding: BASE64 Content-ID:
Steven> <Pine.GSO.4.21.0204101742101.323 at kilroy.uchicago.edu>
Steven> Content-Description: Content-Disposition: attachment;
Steven> filename="krb5-1.2.5b1-channelbinding-patch.zip"
Steven> UEsDBBQAAAAIACtxiiyxIR3oZAQAAIMMAAAhABUAa3JiNS0xLjIuNWIxLWNo
Steven> YW5uZWxiaW5kaW5nLXBhdGNoVVQJAAPijbQ8tLu0PFV4BABkAAoAxVZrU+M2
Steven> FP0cfsVldgbikIfzYANkYCawYZtpGjpJ6E4/aRRbTlQcyWspUIbpf++V5JgA
Steven> DqX7ofXkYcv3HOlenXvskEcR1AKopaDSoC7jsBHzeWOhFE14Y8EES3mQXdaX
Steven> XJio9yP2KpXKx7hK31gI/SSFpg/NzpnfPGt9hpbvt/Zqtdo/T1QAbzl45eVh
Steven> V9Tq+NVW5xjsgOG3A8ctwPPaHsCnkEVcMPg6nZIrMvjl19nv5PL2+nowgSe/
Steven> CuPb0egvDMNPo7J3BFCBfhjiArQEtU4SmWrQj1wsQC8ZKJbes/RQwVoxkBEE
Steven> SyoEi2HORYgxyqAwzvEkKVNMBBiYAp1npxHQMMQbiinAqm9IOd7TPLhjGkcV
Steven> DzMKLAqhQcASTRQLSCCFZn/qsndowMlaEy3vmICEpnTFNEvrFtbA35dpX/3U
Steven> H48HI3I5HH8Zjr9OyfXNaHTzjcyGVz8PZlAu30sewnV/AhUPmh7i8YP1ALOI
Steven> qVwxoDHSC6oZCJxKQWSSgkCuk9hmZRKhc3nP4J7Ga6bqALMl5g80ZeDWEjo6
Steven> g/ytidBVQjWf85jrx7q91dgL31XtXTo/brwtRz14ramdgbs0vBNQoMXuTil/
Steven> mOX0rPmuotuo6JNtRZuB042i8TC6CFIWEh4SDfYMlRjiVpxbRfdcmFkQeRkb
Steven> spgt7HVBaHCn1iv9mDCoBOZPYYzfM5rKAuZSxowK4AshU0acBk0TkLwDzlFG
Steven> o+mg53oKDx5B2ahwMJncTMp3C7JgOlfyiiMRUZrqtarCQTbseZ7D4pEyvU6F
Steven> ZUDZ9oej28nA6xUWrt1tV9vdrcK1u51q+7S7VThbPIldGlEeZ6nb9rc5NlDs
Steven> TGvT7QWp1S5oksQ8QNVKQUKqad1qHZvewfH4WLvhVhVPkPO8mSlmYqGXxl98
Steven> D7jC3lO4CTTGxqN6y5tyhgcqtNppIIbIbaLF2nETL6OcoGhzuWv0IOYYbZax
Steven> VqZYmaXF+M3hzs3QB6wdZTooF5Hun2dlG9+8qZwHBwc5JRTBaxdccM2pRh2Z
Steven> dVj5nm8o+9dkOB7MPkKzq+TI5f8Q3onj/PwZ+FGFeJ7DPD1DTfVcSWsX+CQh
Steven> aPm6VbsITMrKrNH0svdyqne7dDa5HfSe4430JWB3BktmbYBkz7Ycg6J5kOJQ
Steven> w5ymEcxZLB/c3paKxbK7IpnvHLnmO4ItB6JrvTQqNSZhzlFmhkGm5Uy6VdiE
Steven> uKsDc4nkXmY4n7BQfqE7dDqn1c5x17lDXqPs2V8qzSaD/hcynU3KiU6rgD+t
Steven> KprPd1uMTAs4yT6GYq2GUdZvsKQKXwMkPt5BSG36yrwbvH4xqG66DSuWUVDx
Steven> +Pb9QZm+mj9udVl9AzEK+Pft82STs+AVWwWrpPwqs03rv03WMPs5QymQIXPP
Steven> A3e9on/k1g1uDVNyiTXcTN6zHtz5fFLtnPivPPg/Kzu+bPDIwo1K9TbuhQWu
Steven> 4GHJRJG7bcBbJrcxt3xXd+7lBrx7S3/MEg26tL+7wT0X8b/u/t9QSwECFgMU
Steven> AAAACAArcYossSEd6GQEAACDDAAAIQANAAAAAAABAAAApIEAAAAAa3JiNS0x
Steven> LjIuNWIxLWNoYW5uZWxiaW5kaW5nLXBhdGNoVVQFAAPijbQ8VXgAAFBLBQYA
Steven> AAAAAQABAFwAAAC4BAAAAAA=
Steven> ---559023410-851401618-1018478530=:323 Content-Type:
Steven> APPLICATION/ZIP;
Steven> name="krb5-1.2.4-ftpd-channelbinding-followtkt-patch.zip"
Steven> Content-Transfer-Encoding: BASE64 Content-ID:
Steven> <Pine.GSO.4.21.0204101742102.323 at kilroy.uchicago.edu>
Steven> Content-Description: Content-Disposition: attachment;
Steven> filename="krb5-1.2.4-ftpd-channelbinding-followtkt-patch.zip"
Steven> UEsDBBQAAAAIAPJTiiy0Rgc3swEAAGgEAAAuABUAa3JiNS0xLjIuNC1mdHBk
Steven> LWNoYW5uZWxiaW5kaW5nLWZvbGxvd3RrdC1wYXRjaFVUCQAD11q0PDy7tDxV
Steven> eAQAZAAKAM2SyW7bMBCGz/ZTTAM0lQRJlpTYbRz04DqbUcM5OECOBE1SMhGC
Steven> FMhRkqIvX4qxkfYQN6eigqhlON8sP4fLuoaMQWbBWZYbxUe0bdWoca7GduQX
Steven> D4+c9ftv7Q2TJPkbP7gXHK7EBqrPUJ5Ny/G0nEBVFNUwy7JDwQM4ay2Uhb+n
Steven> 1WRa7MDkzytUUZ2Mv6TVyeQUgglgMGBbqnPKmGjRWEI5t8K5XAnd4Ba+wun5
Steven> Aa9HqjrhnY4ZWhWsuZN69xFev9O+AckoSqMJp0hfcxTnww9veu1zFH2oEE3W
Steven> ED0Ia431Zku5fCZCM8NF1AMpNKZDsunqFI5fUqRQxjH8DPDAilb9iMZFmcLR
Steven> 3HSK608IXPQ8zC5mdxB9dPFRGnTfy3UG/i/7z+QaJbAWiFI3cEg5NMEbAK7X
Steven> azIn85vZanW5JN8Wq4vF6npNrm6Xy9t7creYf7/03VPN98DBOtBAEYN0QMHJ
Steven> RlMFuKUIT2JPP1GNDvzEkhchiBOMMKNRPGMU97zHjPUVboUTIZkWak9vpOa+
Steven> NQf+tL0DMCWFxj5f5/qWd5oqvwAlexDockhG7xik98jwj2ftF1BLAQIWAxQA
Steven> AAAIAPJTiiy0Rgc3swEAAGgEAAAuAA0AAAAAAAEAAACkgQAAAABrcmI1LTEu
Steven> Mi40LWZ0cGQtY2hhbm5lbGJpbmRpbmctZm9sbG93dGt0LXBhdGNoVVQFAAPX
Steven> WrQ8VXgAAFBLBQYAAAAAAQABAGkAAAAUAgAAAAA=
Steven> ---559023410-851401618-1018478530=:323 Content-Type:
Steven> APPLICATION/ZIP;
Steven> name="krb5-1.2.4-ftpd-channelbinding-params-patch.zip"
Steven> Content-Transfer-Encoding: BASE64 Content-ID:
Steven> <Pine.GSO.4.21.0204101742103.323 at kilroy.uchicago.edu>
Steven> Content-Description: Content-Disposition: attachment;
Steven> filename="krb5-1.2.4-ftpd-channelbinding-params-patch.zip"
Steven> UEsDBBQAAAAIABlUiiyuSeSRVwMAAKEIAAArABUAa3JiNS0xLjIuNC1mdHBk
Steven> LWNoYW5uZWxiaW5kaW5nLXBhcmFtcy1wYXRjaFVUCQADIVu0PFa7tDxVeAQA
Steven> ZAAKAM1V23LbNhB9lr9im059UagLSdHWZfqgKG7imVTpjN32EQMBoISaAlkA
Steven> tOLpz3cBUBc7UvIajkQtFmcPFmcXEJd5Dh0GHQ1Gs25Z8B6tqqK3NCa3VQ+/
Steven> 3L+6zM2fmjtrt9vfi2/9LTj8JhaQ3EA8GsfZOL6GpN9PzjqdzrfIfeC00hD3
Steven> 8TNOsnE2CoHtl4/PIh4Oo3iUgnc45uC4BrQ7ZwBS2VZRLpeCE6km6DBW18y2
Steven> KmrMhkO72kwaFBeLejk5ews/y5yLHD7c30//uMMxTkJtBGErqpQoyEIqLtXS
Steven> wK8Qe7zAcd6w0KIoN4QxhrP9CeDTa8NmJexKaCg1qNIC2jCbzYCV6zVVHKQB
Steven> H4b7bvcaHmQg5eOO5DhPCZQxUVlghaDaii92y2n2TFauRVlbpBr1dxltnTS3
Steven> yBdnsJaqtsJAmWMQZVY+SfvsSI6JniZZlKb9vehpMozSQboVvdVq0dquCvEk
Steven> Clx3+ufDx0+3f91+Is66nT/czaYPt5MAXGhBH519RPlWi1Ej4OLdxdiPWt8q
Steven> w57rLRzELr4T238d25QTSWBHMkMSn+2GKkuYFrxZ9nALx5RK0nQYJU6anVZJ
Steven> msXoym72auEhIIquBXGVlELZQOwaTwtL8oIuTXCF7gUX8HovpJlz/rCno6gA
Steven> IJXVk93aizrPhSZcGAY+D3RMXmdmhH5CkBuFuc+/kxpTTBPswn9rqQVZ03+i
Steven> /UCqqOnP7USw0X9Cq2yEwlwPDrW6SdE1jPdauey7garUhHKuhTHdJ1rUAkty
Steven> zqwuvLdrpGoM/zM5iMaLRzJqZakIp5Z2C6GWdhWa4TRqu0bTMTKHy2M9dRX6
Steven> aauyT2pXElFgOx1MYauTGZl/JrOP0/kcT8i7u/n7u/mHe38ioFnmUWhdOrim
Steven> XH4hQrGSi0uXVARLPMauXhGch21EEF9dwX+hNbWoiufLrB9H8GZW1gVXFxa4
Steven> cPEwfT99gMtfzNWbE/UYxFmUDJI41MPzucddIedLVip34UTuNmlsgvvihQhX
Steven> zwG46Rx/bDweRzKXjetU1LktHz1aqgq3iCOhHOinFyCnZcghlAF2R/srvnC0
Steven> PBj/fnwjfw1aC7aS3IOcSexzdQRVhoQ8DO0X+fm+HaQJSpcOD27EH026bRf+
Steven> WOr9D1BLAQIWAxQAAAAIABlUiiyuSeSRVwMAAKEIAAArAA0AAAAAAAEAAACk
Steven> gQAAAABrcmI1LTEuMi40LWZ0cGQtY2hhbm5lbGJpbmRpbmctcGFyYW1zLXBh
Steven> dGNoVVQFAAMhW7Q8VXgAAFBLBQYAAAAAAQABAGYAAAC1AwAAAAA=
Steven> ---559023410-851401618-1018478530=:323--
Steven> _______________________________________________ krbdev
Steven> mailing list krbdev at mit.edu
Steven> http://mailman.mit.edu/mailman/listinfo/krbdev
More information about the krbdev
mailing list