Mac OS 8/9 Kerberos 4/5 question

Rod Eldridge rod at
Wed May 28 16:31:34 EDT 2003

>>MacDev Team,
>>I'm using KfM 4.0.3. When I get tickets, Kfm 4.0.3 gets both a krb4tgt
>>and a krb5tgt. Sometime early next year, we are probably going to
>>restrict our Kerbers server to give out only krb5tgt tickets. Our
>>Kerberos Server manager says that if you have applications that need
>>Kerberos 4 tickets, you first get a krb5tgt, and then convert it to a
>>krb4tgt by using the krb425 routine. Our Kerberos server will continue
>>to give out both krb5 and krb4 "tickets for service", but only give out
>>krb5 "ticket-granting tickets". They are going to do this so that we
>>can have expired kerberos passwords (which, I'm told krb4tgt does not
>>On Mac OS 8/9, the kerberos server log shows that KfM 4.0.3 is
>>requesting both a krb4tgt and a krb5tgt separately. However, on Mac OS
>>X 10.2 using KfM 4.5.1, the kerberos server log shows that only a
>>krb5tgt is requested (even though I end up with both a krb4tgt and a
>>krb5tgt). It would appear that Mac OS X does a krb425 for you, while
>>Mac OS 8/9 does not.
>>Can I do this with KfM 4.0.3? If not, do you have any suggestions? Is
>>KfM 4.0.3 source code avaialable or a newer version of KfM for Mac OS
>>8/9 that will call krb425 for me?
>You are correct in your observation that KfM 4.0.x does not support 
>krb524 at all.  The first version of KfM which supports krb524 is 
>4.5, which only runs on Mac OS X.
>However, you can support krb5's expired passwords and continue to 
>support krb4 tgt requests so long as your clients always request krb5 
>tickets first.  KfM 4.0.x always requests krb5 tickets first and will 
>correctly handle the expired password error from 
>krb5_init_creds_password.  Users of krb4-only kinits will get the 
>unhelpful error "principal expired" until the user changes their 
>password, but you would have to upgrade these kinits if you turned 
>off krb4 tgt requests anyway.
>Unfortunately we cannot make the sources to KfM 4.0.x available. 
>Some of the code required to build it is encumbered by licenses which 
>prevent us from distributing the source.
>I strongly recommend updating your Macs to Mac OS X 10.2.x which does 
>support using krb524 to get a krb4 tgt from a krb5 tgt.
>Hope this helps,

Thank you for your reply -- it was helpful in understanding a little
more on the limitations of KfM 4.0.x. I understand why you can't
distribute the source, but I thought I'd ask anyway. But, regardless of
the limitations of KfM4.0.x, we will, more likely then not,  be
forced to disable granting krb4 tgt requests because krb4 also
provides a mechanism for off-line dictionary attacks (where as krb5 has
security features to prevent those types of attacks and will also allow
us to implement a "N strikes and you're out" defense against password
cracking). These KfM 4.0.x limitations just might be the incentive to
get some of our departments to upgrade to Mac OS X where they can,
since they eventually won't be able to get krb4 tgt's.

Rod Eldridge 
Technical Services
Academic Information Technologies
Iowa State University

More information about the krbdev mailing list