[EMAIL PROTECTED] (Michael D Sofka) writes:
> Please keep in mind that kaserver supports two Kerberos protocals, the
> AFS version and MIT Kerberos 4. We've been switching over to MIT
> kerberos so that, for example, users can authenticate with their
> eudora clients. So, we would like to know of the MIT Kerberos IV support
> in kaserver is subject to the COAST attack.
At present, I believe that the problem reported is an implementation
bug in MIT Kerberos *NOT* a protocol weakness, and further, that this
bug was fixed in the kaserver in
# ##### ##### #####
## # # # # # #
# # # # # # # #
# ###### ##### ######
# # # # #
# # # # # # #
##### ##### ##### #####
though nobody asked us before publishing...
So if we're right about the exact attack, both the K4 compatibility code
and the RX interface should be immune.
Please note that this is my unofficial opinion as an ex-AFS developer.
I understand that Transarc will be making an official statement before
long.
