Kerberos page

This page describes Kerberos 4 also known as KTH-KRB.
If you're looking for Kerberos 5 (you probably should), see the Heimdal pages.

Our eBones distribution

NEWS

2003-03-17: Security advisory regarding v4 cross-realm

All versions of the kerberos server are vulnerable to a protocol bug in the kerberos v4 cross-realm operation. Release 1.2.2 by default disables cross-realm in the server, and adds an option for enabling it. The long-term fix is to migrate to Kerberos v5. (heimdal)

2002-10-23: Security advisory regarding kadmind

All versions of the kadmind daemon are vulnerable to a remote root exploit. Release 1.2.1 should fix this problem.

Release 1.2.2 is now available with:

cross-realm disabled in the server

Also includes these bug-fixes from 1.2.1:

buffer overflow in kadmind fixed
fix buffer overrun in ftp
fix openssl building
don't try to force encryption in telnet if not talking to a default telnet port
recognise AIX 5
should work with more DB libraries

krb4-1.2.2.tar.gz

You can pick up our source distribution of Kerberos 4. It is based on eBones (which is based on MIT Kerberos 4 patchlevel 9), but has been severely hacked and is known to work on the following systems (these are what we use it on):

Digital UNIX 4.0 and 5.0
SunOS 4.1
Solaris 2.6, 7 and 8
AIX 4.3 and 5.0
NetBSD 1.5, 1.6
FreeBSD 4.x, 5.x
OpenBSD 2.x
IRIX 6.5
Linux 2.4
HP-UX 11.x
Fujitsu UXP/V

Some part compile and work on:

OS/2 with EMX
Windows 95/NT with gnu-win32 (with the proper amount of magic the libraries should compile with Microsoft C as well)

Apart from the core Kerberos programs the distribution contains the following:

telnet and telnetd
rsh, rcp, rlogin and rshd, rlogind
login
su
ftp and ftpd following (mostly) the ftpsec Internet draft.
kauth (kinit + afs support + remote kinit (like rkinit) + batch support)
kpopper and an emacs 19.30 movemail with kpop support
kx for encrypted X sessions
xnlock
kip for encrypted IP tunnels (requires tunnel device)
afslog (aklog clone), pagsh, and kstring2key for the AFS minded
authentication modules for Irix, Digital UNIX, and PAM.

Pick up the source. Binaries are not provided by us in an organised manner, there might be binary snapshots on the ftp-server, but we don't guarantee that they are other than of pre-historic vintage. If you're desperate, you can check the FTP directory.

Contrib directory available with patches to different programs for supporting kerberos.

For Windows users, we recommend ktelnet.

Documentation

Some documentation is available as:

PostScript
PostScript (gziped)
HTML
DVI
TeXinfo (in a .tar.gz)

The manual is also available translated to Japanese.

Bugs

Send all bug reports to kth-krb-bugs@pdc.kth.se.

Mailing list

There is a mailing list for the users of this package. Send mail to krb4-request@sics.se to subscribe.