Heimdal 7.6 security release announcement

Dear Heimdal Community, A team consisting of staff from Two Sigma Open Source and AuriStor are pleased to announce the release of Heimdal 7.6. The release download page is: https://github.com/heimdal/heimdal/releases/tag/heimdal-7.6.0 The source tarball can be downloaded from:

Re: Memory leak with Squid negotiate_kerberos_auth helper under OpenBSD 6.3

> On Sep 3, 2018, at 7:16 AM, Silamael wrote: > > Are there any known problems with Heimdal under OpenBSD 6.3? None known. I'd change the code to exit the main loop after a number of requests (say 100), and run it under valgrind. -- Viktor.

Re: Target realm gets overwritten

> On Aug 17, 2018, at 12:06 PM, Alibek Jorajev wrote: > > I ran configure with paths: > > --with-cross-tools=$CROSSROOT --with-openssl=$SSLROOT > --with-openssl-include=$SSLROOT/include > > where SSLROOT is correct path to OpenSSL - this works with Heimdal v.1.4 > but it is not working

Re: Target realm gets overwritten

> On Aug 10, 2018, at 4:01 PM, Alibek Jorajev wrote: > > I am using KRB5 API to fetch TGT and then GSS API to generate negotiate > tokens. > (then I add these tokens into HTTP headers when needed). I am using Heimdal > v. 1.4. You really SHOULD NOT be using Heimdal 1.4. We only support

Re: kpasswdd dumps on OpenBSD6.3

> On Aug 6, 2018, at 3:52 AM, ASV wrote: > > There are sections which are scarcely written and perhaps not even > correct (like the incremental propagation one). If you could be a bit more specific, (and as Jeff says open an issue on Github) we might be able to address some of the most

Re: kpasswdd dumps on OpenBSD6.3

> On Aug 5, 2018, at 5:58 PM, ASV wrote: > > For example I'm changing the password of a...@bla.net and the principle > IS in the acl file as: > a...@bla.net c (or C which should deny it) You're reading the MIT Kerberos documentation for the kadmind.acl file. In heimdal the syntax is

Re: kpasswdd dumps on OpenBSD6.3

> On Aug 5, 2018, at 3:58 PM, ASV wrote: > > Anyway, looking forward for the patch. I'm glad I've helped the project > somehow. Thanks a lot for your time and responsiveness. https://github.com/heimdal/heimdal/commit/dd249257e397a26c48164122c892c96a10b64c44 -- Viktor.

Re: kpasswdd dumps on OpenBSD6.3

> On Aug 5, 2018, at 12:33 PM, ASV wrote: > > Here we go: > > (gdb) frame 2 > #2 0x1fe05dc02bfb in change (auth_context=0x1fe261682080, > admin_principal=0x1fe318614860, version=65408, s=8, sa=0x7f7e0968, > sa_size=16, in_data=0x7f7e0310) at kpasswdd.c:410 > 410 ret =

Re: kpasswdd dumps on OpenBSD6.3

0x1fe263d185d6 0x1fe263d185d6 > eflags 0x10202 66050 > cs 0x2b 43 > ss 0x23 35 > ds 0x23 35 > es 0x23 35 > fs 0x23 35 > gs 0x23 35 > > > > On Sat, 2018-0

Re: kpasswdd dumps on OpenBSD6.3

> On Aug 4, 2018, at 3:28 PM, ASV wrote: > > I think that I finally got it, did I? Still no symbols, but yes, you got the instruction decode. > Program received signal SIGSEGV, Segmentation fault. > 0x07fe9c69d5d6 in change () from /usr/local/heimdal/lib/libkadm5srv.so.3.0 > Current

Re: kpasswdd dumps on OpenBSD6.3

> On Aug 4, 2018, at 2:36 PM, ASV wrote: > > You've been 23 secs faster to reply than me to correct the email with > the wrong output! :D > > So, the correct one has been sent already. About the source code, well > I've tried with both but the upstream didn't compile so I'll stick to > the

Re: kpasswdd dumps on OpenBSD6.3

On Aug 4, 2018, at 2:05 PM, ASV wrote: > On Fri, 2018-08-03 at 14:05 -0400, Viktor Dukhovni wrote: >>> On Aug 3, 2018, at 1:43 PM, ASV wrote: >>> >>> No, no crashes using "kadmin -l". >> >> This shows that "kadmin" and the libka

Re: kpasswdd dumps on OpenBSD6.3

> On Aug 4, 2018, at 1:43 PM, ASV wrote: > > On Fri, 2018-08-03 at 14:05 -0400, Viktor Dukhovni wrote: >>> On Aug 3, 2018, at 1:43 PM, ASV wrote: >>> >>> No, no crashes using "kadmin -l". >> >> This shows that "kadmin&qu

Re: kpasswdd dumps on OpenBSD6.3

> On Aug 3, 2018, at 1:43 PM, ASV wrote: > > No, no crashes using "kadmin -l". This shows that "kadmin" and the libkadm5srv.so library work fine. Which libraries is "kadmin" linked with (post ldd output)? Which libraries is "kpasswdd" linked with (post ldd output) and make sure you're

Re: kpasswdd dumps on OpenBSD6.3

> On Aug 3, 2018, at 5:27 AM, ASV wrote: > > Changing password as suggested (kadmin -l cpw ...) works No crashes, right? Modulo authentication of the user, UDP transport, ... ultimately "kadmin -l cpw" and "kpasswd" should end up calling the same change() function in much the same way. >

Re: kpasswdd dumps on OpenBSD6.3

> On Aug 2, 2018, at 12:33 PM, ASV wrote: > > Program received signal SIGSEGV, Segmentation fault. > 0x1db26a5615d6 in change () from > /usr/local/heimdal/lib/libkadm5srv.so.3.0 > Current language: auto; currently minimal > (gdb) The program is running. Exit anyway? (y or n) n > Not

Re: Some principals not replicating

> On Jun 15, 2018, at 5:31 PM, Adam Lewenberg wrote: > > PROBLEM: Some of the principals will not replicate. Well updates to the principal are not replicating... > If I go on the master and change the password of one of these problematic > principals, I > see this in the replica's logs:

Re: kadmin: failing dump/load

> On Nov 6, 2017, at 12:20 PM, Patrik Lundin wrote: > > On 2017-11-06 17:55:05, Patrik Lundin wrote: >> >> While it can still be displayed with kadmin (and authenticated to with >> kinit) the dump and load will fail: >> === >> root@kdc-lab-master1:~# kadmin -l load

Re: Expired tickets not renewed

On Wed, Aug 09, 2017 at 01:11:07PM -0500, Nico Williams wrote: > On Wed, Aug 09, 2017 at 06:01:26PM +0000, Viktor Dukhovni wrote: > > On Wed, Aug 09, 2017 at 07:34:15PM +0200, Harald Barth wrote: > > > > > Btw, one of my ticket caches looks like this (probably MIT library

Re: Expired tickets not renewed

On Wed, Aug 09, 2017 at 07:34:15PM +0200, Harald Barth wrote: > Btw, one of my ticket caches looks like this (probably MIT library): > > IssuedExpires Principal > Aug 5 18:06:47 2017 Aug 12 18:06:45 2017 > krbtgt/besserwisser@besserwisser.org > Aug 5

Re: How to disable DNS lookups?

On Wed, Jul 26, 2017 at 03:08:30PM -0700, Henry B (Hank) Hotz, CISSP wrote: > > Then the explicit trailing dots in /etc/hosts look indeed > > like a reasonable trade-off. > > Actually, isn’t the trailing dot just a red herring? No. > The RR is guaranteed to return a name which has an A/

Re: How to disable DNS lookups?

> On Jul 26, 2017, at 5:37 AM, u-hd-p...@aetey.se wrote: > > As Russ already pointed out, the DNS standard is not an authority > which defines the behaviour of the applicable APIs. Of course widely used > implementations may create "de-facto standards" but this discussion shows > that there is

[Heimdal-announce] Heimdal 7.2 release announcement.

Dear Heimdal Community, A team consisting of staff from Two Sigma Open Source and AuriStor are pleased to announce the release of Heimdal 7.2. The release download page is: https://github.com/heimdal/heimdal/releases/tag/heimdal-7.2.0 The source tarball can be downloaded from:

Re: kadmind (1.5.2) not respecting --keytab parameter

> On Mar 25, 2017, at 7:38 PM, Adam Lewenberg wrote: > > /usr/lib/heimdal-servers/kadmind --keytab=/etc/heimdal-kdc/kadmin.keytab > --config-file=/etc/heimdal-kdc/kdc.conf --debug > > When I run a kadmin command from another server this is the error that shows > up in