MITKRB5-SA-2003-004: Cryptographic weaknesses in Kerberos v4 protocol
Darren Reed (OSE)
darrenr at optimation.com.au
Mon Mar 17 18:43:22 EST 2003
Can I suggest the advisory be updated to include the measures
below ? It was not clear from the text released that it was
necessary to use "-4 none" or "-4 disabled" on the command
line, in addition to disabling krb524d.
Are there any krb5.conf or kdc.conf parameters that can be used
in place of the above command line options ?
> -----Original Message-----
> From: Sam Hartman [mailto:hartmans at mit.edu]
> Sent: Tuesday, 18 March 2003 10:28 AM
> To: Darren Reed (OSE)
> Cc: krbdev at mit.edu
> Subject: Re: MITKRB5-SA-2003-004: Cryptographic weaknesses in Kerberos
> v4 protocol
> >>>>> "Darren" == Darren Reed (OSE) <darrenr at optimation.com.au> writes:
> Darren> One thing I'm not clear on having read that is how deep
> Darren> the problem is. If you're not using krb524d, does that
> Darren> mean you are not vulnerable if you are using 1.2.7, even
> Darren> if you have enabled v4 keys as a "supported_enctype" in
> Darren> kdc.conf ?
> Enabling v4 keys in kdc.conf does not matter. The question is whether
> KDC support for v4 is on. If you run with -4 none or -4 disabled on
> the command line and do not run krb524d you are not vulnerable.
More information about the krbdev