Known Bugs in Kerberos 5 Release 1.1

• Compiling remote login programs using the --without-krb4 option has disastrous effects. See the advisories page for details.

• There are serious buffer overrun vulnerabilities in the krb4 compat code. See the advisories page for details.

• Attempting to use a krb5-1.1 kinit against a 1.0.x KDC to obtain initial credentials for a principal which has the REQUIRES_PREAUTH flag set will result in a preauthentication error. This is due to some incompatibility introduced with the Cygnus initial credentials API merge. This problem does not appear if the principal in question has a krb4-salted key listed first in the database. This should be fixed in the 1.1.1 release.

• Syslog-based logging has a possible denial-of-service bug, which will be fixed in an upcoming release. For now, do NOT use syslog-based logging for the KDC or kadmind. File-based logging will still work, and is not vulnerable to the denial-of-service attack. This should be fixed in the 1.1.1 release.

• The lib/rpc tests do not appear to work under NetBSD-1.4, for reasons that are not completely clear at the moment, but probably have something to do with portmapper interfacing. This should not affect other operations, such as kadmind operation.

• Hardware preauthentication is known to be broken; this will be fixed in an upcoming release.

• There are known to be a number of problems with configuration files. For example, unrecognized encryption types in a kdc.conf or possibly also a krb5.conf will result in obscure error messages of the form "file not found", when in fact it is an unrecognized enctype. There are also potentially problems with trailing whitespace.

• There is an ASN.1 parser bug that will result in non-response from the KDC in the case of an empty sequence type. This most commonly occurs when the client sends an empty enctype list as part of an AS_REQ, which in turn is often due to misconfiguration. This should be fixed in the 1.1.1 release.

• Not all reported bugs have been fixed in this release, due to time constraints. We are planning to make another release in the near future with more complete triple DES support, and additional bugfixes. Many of the bugs in our database are reported against what is now quite old code, or require hardware that we do not have, which make them difficult to reproduce and debug. We will work on these older bugs and some externally submitted patches for the following release.