[1887] in Kerberos-V5-bugs
Re: ss-960411 Checksum Problems
daemon@ATHENA.MIT.EDU (Theodore Y. Ts'o)
Thu Apr 18 16:43:25 1996
Date: Thu, 18 Apr 1996 13:54:34 -0400
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
To: Sam Hartman <hartmans@MIT.EDU>
Cc: "Theodore Y. Ts'o" <tytso@MIT.EDU>, Doug Engert <DEEngert@anl.gov>,
krb5-bugs@MIT.EDU, raeburn@cygnus.com
In-Reply-To: Sam Hartman's message of 18 Apr 1996 02:52:35 -0400,
<tslratmqb0s.fsf@tertius.mit.edu>
From: Sam Hartman <hartmans@MIT.EDU>
Date: 18 Apr 1996 02:52:35 -0400
Apparently, pre-Beta5 clients generate bogus checksums.
Considering that we are still in beta, and that there is substancially
enhanced security if you use checksums, I strongly believe that
checksums should be used if supplied.
Well, the problem is that most of the people who are using Kerberos V5
today are using pre-beta5 clients. Not too many people are using beta
5, since it's a pretty broken release. As a result, I don't want to
cause to much backwards compatibility headaches.
I'd much rather see the code #ifdef'ed to allow compatibility with
pre-beta5 clients, and advertise that this is a provisional limited-time
feature, thus encouraging people to upgrade. In a future release, we
can turn off this backwards compatibility fix.
We could add yet another option, but krlogin is getting hard enough to
configure and use, and I'm not really convinced this is worth it. It's
not like it weakens security by all that much anyway, since people who
really care about security will be using the -c flag anyway.
This would involve backing out Ken's patch. In particular,
the warning if you have -54c would reappear--you should never require
checksums if you are enabling Kerberos4, and then adding the new
backward compatability option that would have the same behavior Ken
has the mainline code path currently take.
The problem with the old way of doing things was that even if you were
using Kerberos V5, and you had a valid checksum, krlogin was still
issueing the same the warning syslog for no good reason. That was
broken.
As far as checksum security and Kerberos V4, the place to warn system
administrators about that sort of thing is in the documentation, not by
causing a syslog to appear every single time someone logs in using
Kerberos V4.
- Ted
