In relation to MITKRB5-SA-2003-004 announced today, I have a question about my potential vulnerability.
My KDC (1.2.5) supports V4 only to the extent that it will issue a V4 (as well as a V5) TGT. I've been planning to turn this off anyway (subject to investigation of whether we have any V4 applications floating around), but I wonder if supporting this feature is sufficient to make us vulnerable. I don't support DES3 keys at all (V4 or V5) and my only cross-realm arrangement is with a local Win2k Active Directory KDC (which, of course, is V5). So, my question is: Is it *necessary* for me to turn off issuance of V4 TGTs in my KDC in order to completely protect myself from the latest announced vulnerability? Thanks. Mike ------------------------------------------------------------------------------ Mike Friedman System and Network Security [EMAIL PROTECTED] 2484 Shattuck Avenue 1-510-642-1410 University of California at Berkeley http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu ------------------------------------------------------------------------------ ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
