1996-05-01 17:15:30 +00:00
|
|
|
IMPORTANT!
|
1996-02-21 21:40:14 +00:00
|
|
|
|
1996-05-01 17:15:30 +00:00
|
|
|
This distribution includes a patch (already applied), that updates
|
|
|
|
Kerberos' key generation. The gist of the patch is to replace calls
|
|
|
|
to des_random_key() with calls to des_new_random_key().
|
1996-02-21 21:40:14 +00:00
|
|
|
|
|
|
|
The primary difference is that des_random_key() uses a seeding
|
1996-05-01 17:15:30 +00:00
|
|
|
technique which is predictable and therefore vulnerable.
|
|
|
|
des_new_random_key() uses a feedback mechanism based on the Data
|
|
|
|
Encryption Standard (DES) and is seeded with a secret (and therefore
|
|
|
|
unknown to an attacker) value. This value is the database master
|
|
|
|
key, which is a convenient secret value.
|
|
|
|
|
|
|
|
This patch uses the new_rnd_key.c key module (which contains the
|
|
|
|
definition and code for des_new_random_key()). It has been part of
|
|
|
|
the standard Version 4 distribution since 1992 (and was recreated
|
|
|
|
for FreeBSD in 1995). This is used in the MIT admin server (the
|
|
|
|
primary error at MIT was not upgrading all of Kerberos to use this
|
|
|
|
newer generator. This patch finishes the job).
|
|
|
|
|
|
|
|
In addition to the patch for the Kerberos distribution this
|
1996-02-21 21:40:14 +00:00
|
|
|
distribution also contains a program for changing critical system keys
|
|
|
|
(namely the "krbtgt" and "changepw.kerberos" keys). When you
|
|
|
|
originally built your Kerberos database these keys were chosen at
|
|
|
|
random, using the vulnerable version of the kerberos random number
|
|
|
|
generator. Therefore it is possible for an attacker to mount an attack
|
|
|
|
to guess these values. If an attacker can determine the key for the
|
|
|
|
"krbtgt" ticket, they can construct tickets claiming to be any
|
|
|
|
kerberos principal. Similarly if an attacker can obtain the
|
|
|
|
"changepw.kerberos" key, they can change anyone's password.
|
|
|
|
|
1996-05-01 17:15:30 +00:00
|
|
|
The new "fix_kdb_keys(8)" program, which you run on the KDC
|
|
|
|
server, will change these critical keys to new values using the
|
|
|
|
newer random number generator. IMPORTANT: When you run fix_kdb_keys,
|
|
|
|
all outstanding ticket granting tickets will immediately become
|
|
|
|
invalid. This will be disruptive to your user community. We recommend
|
|
|
|
that you either do this late at night or early in the morning before
|
|
|
|
most users have logged in. Alternatively pre-announce a definitive
|
|
|
|
time when you will run the program and inform your users that they
|
|
|
|
will have to get new tickets at that time (using either "kinit" or
|
|
|
|
simply by logging out and then in again).
|
|
|
|
|
|
|
|
NOTE: The only client program modified is "ksrvutil" which is used
|
|
|
|
to generate new server keys. All other client/server programs are
|
|
|
|
unaffected. End users do *not* need to obtain new versions of
|
|
|
|
programs that use Kerberos. This is because most random number
|
|
|
|
generation in the Kerberos system is done on the KDC system.
|
|
|
|
|
|
|
|
After getting these sources, type "make world" at the toplevel of
|
|
|
|
your source tree. This will, among other things, build the fix_kdb_keys
|
|
|
|
program. This is not necessary if you have already got prebuilt
|
|
|
|
binaries with this distribution.
|