There has been a report indicating that there is a problem with the use of NIM to obtain credentials for principals whose password has expired. I have been unable to replicate the problem. I would appreciate it if other users could try to obtain credentials for a principal with an expired password and report back to [EMAIL PROTECTED] if there is a problem.
Thanks. Jeffrey Altman Secure Endpoints Inc. Tom Yu wrote: > The MIT Kerberos Development Team is proud to announce the second *BETA* > release of the next revision of our Kerberos for Windows product, > Version 3.1. > > Please send bug reports and feedback to [EMAIL PROTECTED] > > What's New: > =========== > > Version 3.1 fixes bugs and adds minor functionality: > > * Improvements to the Network Identity Manager > > 1. A serious memory leak has been fixed > > 2. Principal names containing numbers are no longer considered > invalid > > 3. Locales other than en_US are now supported > > 4. Arbitrary sort ordering of credentials > > 5. Support for FILE: ccaches > > 6. Credential properties may be selected by the user for display > > 7. User selected font support > > 8. Tool Tip support added to the Toolbar > > 9. Identities can be added without obtaining credentials > > 10. Kerberos 5 Realm editor has been added > > * The MSLSA: ccache is disabled in WOW64 environments prior to Microsoft > Windows Vista Beta 2 (Windows XP 64, 2003 64, etc.) > > * The installers are built using the latest toolkit versions NSIS (2.18) > and WIX (2.0.4220.0) > > > Version 3.0 provided several often requested new features: > > * thread-safe Kerberos 5 libraries (provided by Kerberos 5 release > 1.4.4) > > * a replacement for the Leash Credential Manager called the Network > Identity Manager > > - a visually enticing application that takes advantage of all of the > modern XP style User Interface enhancements > > - supports the management of multiple Kerberos 5 identities in a > variety of credential cache types including CCAPI and FILE. > > - credentials can be organized by credential cache location or by > identity > > - a single identity can be marked as the default for use by > applications that request the current default credential cache > > - Network Identity Manager is built upon the Khimaira Identity > Management Framework introduced this past summer at the AFS & > Kerberos Best Practices Conference at CMU. > > - Credential Managers for Kerberos 5 and Kerberos 4 are provided. > Credential Managers for other credential types including AFS > and KX.509/KCA are available. Contact Secure Endpoints Inc. > for details. <https://www.secure-endpoints.com> > > - The Khimaira framework is a pluggable engine into which custom > Identity Managers and Credential Managers can be added. > Organizations interested in building plug-ins for the Network > Identity Manager may contact Jeffrey Altman at > [EMAIL PROTECTED] > > * a Kerberos specific WinLogon Network Provider that will use the > username and password combined with the MIT Kerberos default realm in > an effort to obtain credentials at session logon > > > Important changes since the 2.6.5 release: > ========================================== > > * This release requires 32-bit editions of Microsoft Windows 2000 or > higher. Support for Microsoft Windows 95, 98, 98 Second Edition, ME, > and NT 4.0 has been discontinued. Users of discontinued platforms > should continue to use MIT Kerberos for Windows 2.6.5. > > * Version 3.0 does not include any internal support for AFS. The > aklog.exe utility now ships as a part of OpenAFS for Windows. > <http://www.openafs.org/windows.html> The Secure Endpoints Inc. AFS > credential manager for the Network Identity Manager has been incorporated > into OpenAFS for Windows 1.5.9 and above. > > > Downloads > ========= > > Binaries and source code can be downloaded from the MIT Kerberos web site: > http://web.mit.edu/kerberos/ > > > Acknowledgments > =============== > > The MIT Kerberos team would like to thank Secure Endpoints Inc. > <https://www.secure-endpoints.com> for its support during the development > of this release. > > > > Important notice regarding Kerberos 4 support > ============================================= > > In the past few years, several developments have shown the inadequacy > of the security of version 4 of the Kerberos protocol. These > developments have led the MIT Kerberos Team to begin the process of > ending support for version 4 of the Kerberos protocol. The plan > involves the eventual removal of Kerberos 4 support from the MIT > implementation of Kerberos. > > The Data Encryption Standard (DES) has reached the end of its useful > life. DES is the only encryption algorithm supported by Kerberos 4, > and the increasingly obvious inadequacy of DES motivates the > retirement of the Kerberos 4 protocol. The National Institute of > Standards and Technology (NIST), which had previously certified DES as > a US government encryption standard, has officially announced[1] the > withdrawal of the Federal Information Processing Standards (FIPS) for > DES. > > NIST's action reflects the long-held opinion of the cryptographic > community that DES has too small a key space to be secure. Breaking > DES encryption by an exhaustive search of its key space is within the > means of some individuals, many companies, and all major governments. > Consequently, DES cannot be considered secure for any long-term keys, > particularly the ticket-granting key that is central to Kerberos. > > Serious protocol flaws[2] have been found in Kerberos 4. These flaws > permit attacks which require far less effort than an exhaustive search > of the DES key space. These flaws make Kerberos 4 cross-realm > authentication an unacceptable security risk and raise serious > questions about the security of the entire Kerberos 4 protocol. > > The known insecurity of DES, combined with the recently discovered > protocol flaws, make it extremely inadvisable to rely on the security > of version 4 of the Kerberos protocol. These factors motivate the MIT > Kerberos Team to remove support for Kerberos version 4 from the MIT > implementation of Kerberos. > > The process of ending Kerberos 4 support began with release 1.3 of MIT > Kerberos 5. In release 1.3, the default run-time configuration of the > KDC disables support for version 4 of the Kerberos protocol. Release 1.4 > of MIT Kerberos continues to include Kerberos 4 support (also disabled > in the KDC with the default run-time configuration), but we intend to > completely remove Kerberos 4 support from some future release of MIT > Kerberos. > > The MIT Kerberos Team has ended active development of Kerberos 4, > except for the eventual removal of all Kerberos 4 functionality. We > will continue to provide critical security fixes for Kerberos 4, but > routine bug fixes and feature enhancements are at an end. > > We recommend that any sites which have not already done so begin a > migration to Kerberos 5. Kerberos 5 provides significant advantages > over Kerberos 4, including support for strong encryption, > extensibility, improved cross-vendor interoperability, and ongoing > development and enhancement. > > If you have questions or issues regarding migration to Kerberos 5, we > recommend discussing them on the [email protected] mailing list. > > References > > [1] National Institute of Standards and Technology. Announcing > Approval of the Withdrawal of Federal Information Processing > Standard (FIPS) 43-3, Data Encryption Standard (DES); FIPS 74, > Guidelines for Implementing and Using the NBS Data Encryption > Standard; and FIPS 81, DES Modes of Operation. Federal Register > 05-9945, 70 FR 28907-28908, 19 May 2005. DOCID:fr19my05-45 > > [2] Tom Yu, Sam Hartman, and Ken Raeburn. The Perils of > Unauthenticated Encryption: Kerberos Version 4. In Proceedings of > the Network and Distributed Systems Security Symposium. The > Internet Society, February 2004. > http://web.mit.edu/tlyu/papers/krb4peril-ndss04.pdf > _______________________________________________ kerberos-announce mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos-announce ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
