Known Bugs in Kerberos 5 Release 1.1
- Compiling remote login programs using the --without-krb4
option has disastrous effects. See the
page for details.
- There are serious buffer overrun vulnerabilities in the krb4
compat code. See the
page for details.
- Attempting to use a krb5-1.1 kinit against a 1.0.x KDC to
obtain initial credentials for a principal which has the
REQUIRES_PREAUTH flag set will result in a preauthentication
error. This is due to some incompatibility introduced with
the Cygnus initial credentials API merge. This problem does
not appear if the principal in question has a krb4-salted key
listed first in the database. This should be fixed in the
- Syslog-based logging has a possible denial-of-service
bug, which will be fixed in an upcoming release. For
now, do NOT use syslog-based logging for the KDC
or kadmind. File-based logging will still work, and is
not vulnerable to the denial-of-service attack. This should
be fixed in the 1.1.1 release.
- The lib/rpc tests do not appear to work under NetBSD-1.4,
for reasons that are not completely clear at the moment, but
probably have something to do with portmapper interfacing.
This should not affect other operations, such as kadmind
- Hardware preauthentication is known to be broken; this will
be fixed in an upcoming release.
- There are known to be a number of problems with
configuration files. For example, unrecognized encryption
types in a kdc.conf or possibly also a krb5.conf will result
in obscure error messages of the form "file not found", when
in fact it is an unrecognized enctype. There are also
potentially problems with trailing whitespace.
- There is an ASN.1 parser bug that will result in
non-response from the KDC in the case of an empty sequence
type. This most commonly occurs when the client sends an
empty enctype list as part of an AS_REQ, which in turn is
often due to misconfiguration. This should be fixed in the
- Not all reported bugs have been fixed in this release, due
to time constraints. We are planning to make another release
in the near future with more complete triple DES support, and
additional bugfixes. Many of the bugs in our database are
reported against what is now quite old code, or require
hardware that we do not have, which make them difficult to
reproduce and debug. We will work on these older bugs and
some externally submitted patches for the following
$Id: known-bugs.html,v 1.7 2000/05/17 20:42:28 tlyu Exp $
For comments/suggestions about this page, mail: