MITKRB5-SA-2003-004: Cryptographic weaknesses in Kerberos v4 protocol

Sam Hartman hartmans at MIT.EDU
Mon Mar 17 18:27:48 EST 2003

>>>>> "Darren" == Darren Reed (OSE) <darrenr at> writes:

    Darren> One thing I'm not clear on having read that is how deep
    Darren> the problem is.  If you're not using krb524d, does that
    Darren> mean you are not vulnerable if you are using 1.2.7, even
    Darren> if you have enabled v4 keys as a "supported_enctype" in
    Darren> kdc.conf ?

Enabling v4 keys in kdc.conf does not matter.  The question is whether
KDC support for v4 is on.  If you run with -4 none or -4 disabled on
the command line and do not run krb524d you are not vulnerable.

More information about the krbdev mailing list