Kerberos: CERT Advisory CA-2000-06

Kerberos: CERT Advisory CA-2000-06

[Gerald Pfeifer]

As some of you mentioned problems with Kerberos: Have you considered
another cracker attack?

It seems that essentially *all* versions of Kerberos have several
significant vulnerabilites! See CERT Advisory CA-2000-06 for details.

Gerald
-- 
Gerald "Jerry" pfeifer@dbai.tuwien.ac.at http://www.dbai.tuwien.ac.at/~pfeifer/

Re: Kerberos: CERT Advisory CA-2000-06

[Jim Kingdon]

> It seems that essentially *all* versions of Kerberos have several
> significant vulnerabilites! See CERT Advisory CA-2000-06 for details.

That's http://www.cert.org/advisories/CA-2000-06.html for the lazy.

Those are the ones fixed in
ftp://ftp.tux.org/distributions/redhat/updates/6.2/i386/krb5* right?
The whole point of the Kerberos discussion of the last day or two has
been how to patch those.  I'm planning on installing those RPMs and
deinstalling the Kerberos we had installed, since no one has objected
to that plan.

There was some sentiment in favor of just getting rid of Kerberos, but
that seems not to be practical.

Need help with Kerberos

[Jim Kingdon]

This is a request for help.

I've installed the
ftp://ftp.tux.org/distributions/redhat/updates/6.2/i386/krb5* RPMs and
hopefully set up the config files right (/etc/inetd.conf and
/etc/krb5.conf were the main ones I touched).  Now I can't log in.  I
wonder whether this is because of the canonical name problem but I
don't really know how to verify that.  The message I get from rlogin
is:

    Couldn't authenticate to server: Server rejected authentication
    (during sendauth exchange)
    Server returned error code 60 (Generic error (see e-text))
    Error text sent from server: No such file or directory

Anyone who knows more about Kerberos want to help debug?
/tmp/kingdon.over has the result of running strace on the klogind
server.

I'm reluctant to put the old Kerberos back (which is in
/usr/{kerberos,kerbnet,kerbnet-1.2}.buggy and comments in inetd.conf)
because it has known security holes.  Call me at +1 202 265 6119 or
send email.

Re: Need help with Kerberos

[Ulrich Drepper]

Jim Kingdon <kingdon@redhat.com> writes:

> I'm reluctant to put the old Kerberos back (which is in
> /usr/{kerberos,kerbnet,kerbnet-1.2}.buggy and comments in inetd.conf)
> because it has known security holes.  Call me at +1 202 265 6119 or
> send email.

Please put it back.  Your are completely blocking the use of the
machine for some people (including me).  You can add the new code as
soon as you've found somebody who can help and is online at the same
time.

-- 
---------------.      drepper at gnu.org  ,-.   1325 Chesapeake Terrace
Ulrich Drepper  \    ,-------------------'   \  Sunnyvale, CA 94089 USA
Red Hat          `--' drepper at redhat.com   `------------------------

Re: Need help with Kerberos

[Jim Kingdon]

I've put Kerberos back the way it was.

I don't like this one bit, but I couldn't quickly find what needs to
be downloaded at http://web.mit.edu/kerberos/www/index.html .

Now, who wants to actually fix this?

Need help with Kerberos

[Jim Kingdon]

This is a request for help.

I've installed the
ftp://ftp.tux.org/distributions/redhat/updates/6.2/i386/krb5* RPMs and
hopefully set up the config files right (/etc/inetd.conf and
/etc/krb5.conf were the main ones I touched).  Now I can't log in.  I
wonder whether this is because of the canonical name problem but I
don't really know how to verify that.  The message I get from rlogin
is:

    Couldn't authenticate to server: Server rejected authentication
    (during sendauth exchange)
    Server returned error code 60 (Generic error (see e-text))
    Error text sent from server: No such file or directory

Anyone who knows more about Kerberos want to help debug?
/tmp/kingdon.over has the result of running strace on the klogind
server.

I'm reluctant to put the old Kerberos back (which is in
/usr/{kerberos,kerbnet,kerbnet-1.2}.buggy and comments in inetd.conf)
because it has known security holes.  Call me at +1 202 265 6119 or
send email.

Kerberos: CERT Advisory CA-2000-06

[Gerald Pfeifer]

As some of you mentioned problems with Kerberos: Have you considered
another cracker attack?

It seems that essentially *all* versions of Kerberos have several
significant vulnerabilites! See CERT Advisory CA-2000-06 for details.

Gerald
-- 
Gerald "Jerry" pfeifer@dbai.tuwien.ac.at http://www.dbai.tuwien.ac.at/~pfeifer/

Re: Need help with Kerberos

[Ulrich Drepper]

Jim Kingdon <kingdon@redhat.com> writes:

> I'm reluctant to put the old Kerberos back (which is in
> /usr/{kerberos,kerbnet,kerbnet-1.2}.buggy and comments in inetd.conf)
> because it has known security holes.  Call me at +1 202 265 6119 or
> send email.

Please put it back.  Your are completely blocking the use of the
machine for some people (including me).  You can add the new code as
soon as you've found somebody who can help and is online at the same
time.

-- 
---------------.      drepper at gnu.org  ,-.   1325 Chesapeake Terrace
Ulrich Drepper  \    ,-------------------'   \  Sunnyvale, CA 94089 USA
Red Hat          `--' drepper at redhat.com   `------------------------

Re: Kerberos: CERT Advisory CA-2000-06

[Jim Kingdon]

> It seems that essentially *all* versions of Kerberos have several
> significant vulnerabilites! See CERT Advisory CA-2000-06 for details.

That's http://www.cert.org/advisories/CA-2000-06.html for the lazy.

Those are the ones fixed in
ftp://ftp.tux.org/distributions/redhat/updates/6.2/i386/krb5* right?
The whole point of the Kerberos discussion of the last day or two has
been how to patch those.  I'm planning on installing those RPMs and
deinstalling the Kerberos we had installed, since no one has objected
to that plan.

There was some sentiment in favor of just getting rid of Kerberos, but
that seems not to be practical.

Re: Need help with Kerberos

[Jim Kingdon]

I've put Kerberos back the way it was.

I don't like this one bit, but I couldn't quickly find what needs to
be downloaded at http://web.mit.edu/kerberos/www/index.html .

Now, who wants to actually fix this?