List Info

Thread: kfw-3.2-beta1 is available - corrected MSI
kfw-3.2-beta1 is available - corrected MSI
country flaguser name
United States		 2007-04-11 15:58:02 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


This is a reposting because the MSI originally posted for
kfw-3.2-beta1 was inadvertently copied from an older
version.  We have
uploaded the correct kfw-3_2_0-beta1.msi file.  One way to
distinguish
the files is by their size; the correct MSI file has a size
of 8391k.
The incorrect file had a size of 8400k.

========================================

The MIT Kerberos Development Team and Secure Endpoints Inc.
are proud to 
announce the first beta release of MIT's Kerberos for
Windows product, 
Version 3.2.

Please send bug reports and feedback to kfw-bugsmit.edu.

What's New:
===========

  *  Network Identity Manager Application
     o A simplified basic mode has been added to the
"obtain new 
       credentials dialog".  The basic mode replaces
the credential 
       browser with a button that can be used to access the
advanced 
       configuration functions.  This advanced mode provides
the 
       credential browser and a tabbed view of the
configuration 
       dialogs for each of the available credential
providers.
     o A simplified default application view that shows only
the 
       status of the active identities.
     o A new command-line option to netidmgr.exe is
available to 
       shutdown a running instance of Network Identity
Manager.  
       Specify "-x" or "--exit" to force
the existing instance to 
       terminate.
     o The use of ellipsis on menu items now follows the
Windows 
       Style Guide.  Ellipsis is only used when additional
information 
       is required from the user before carrying out the
designated 
       action.  If displaying a dialog is the action, no
ellipsis 
       is used.
     o Improved handling of window focus when opening and
closing 
       modal dialogs.
     o Reduce the number of alerts presented to the user by
combining 
       duplicates into a single alert.
     o Do not generate alerts if there is nothing that the
user 
       can do to correct the situation.  Alerts that are
displayed 
       provide actions the user can take if desired.
     o Renew and Destroy menus provide "All" and
"Individual identity 
       names" as choices.
     o The Renew and Destroy toolbar buttons provide
dropdown menus 
       permitting the action to be applied to either
"All" or one 
       specific identity.
     o The "default" action of left clicking the
notification icon 
       is now configurable.  The default configuration is
"open/close 
       NIM window".  The alternate is to open the new
credentials 
       dialog.  This can be specified by the user on the
General 
       Options page.
     o The alerter window can now display multiple alerts
simultaneously.
     o Ensure that the NIM window is displayed on an active
desktop.
       If not, move it to the primary desktop and center
it.
     o New Basic mode display that shows only the state of
the 
       identity and its expiration time.  Use F7 or
View->Advanced 
       to switch to the previous display that is
configurable by the
       user to show details about each credential.
     o New Color Scheme derived from current Windows Desktop
Color 
       Scheme.
     o Improved display updating algorithms reduce flicker
     o The proper icon sizes are now used in the information
bubble 
       and the status bar.
     o Plug-in Help can now be added to the Help menu
  * Network Identity Manager Kerberos v5 Support
     o Do not show cached prompts to user if they have
expired
     o Correct the possibility that a krb5_ccache handle
might be 
       freed twice.
     o Import settings from Kerberos Profile if there are no
equivalent 
       defaults specified in the registry.  Support
per-realm settings.
     o An identity that matches the MSLSA will not renew its
credentials 
       from the MSLSA if the user obtained the credentials
from 
       elsewhere.
     o When importing an identity from the MSLSA that has
never been 
       seen before, create an entry in the identity
database.
     o Do not attempt to renew non-renewable identities
     o Permit an identity to be configured as the default
identity 
       even if it doesn't have any credentials.
  * Kerberos v5 Library Improvements
     o Based on MIT release 1.6+
     o On Vista MSLSA: krb5_ccache can be used to store
tickets 
       including TGTs for alternative principals to the LSA
credential 
       cache
     o On Vista a more efficient interface for enumerating
the contents 
       of the LSA credential cache is available.
     o Vista support is only built if the Vista SDK version
of 
       NTSecAPI.H is used.
     o On Vista, if a process is UAC limited, the MSLSA will
report 
       that no tickets are present in the cache rather than
return 
       tickets with invalid session keys.
     o get_os_ccname() uses GetEnvironmentVariable() instead
of 
       getenv() to read the KRB5CCNAME environment variable.
 This 
       allows the correct default credential cache name to
be returned 
       by krb5_cc_default_name().   This works around a
problem where a 
       gssapi application would trigger an Obtain New
Credentials prompt 
       from NIM only to have it obtain the wrong credential
cache.
  * Winsock Helper Library Improvements
     o DNS queries that terminate with a dot would not
properly match 
       the hostnames listed within the DNS response
preventing a 
       successful return.   This resulted in "kinit
-4" failing to find 
       the KDCs.
  * Integrated Logon Improvements
     o Remove the reliance on the Windows Logon Event
handler and 
       replace it with a LogonScript that executes
kfwlogon.dll via a 
       call to rundll32.exe.  This change permits the
integrated logon 
       functionality to work on all supported platforms:
Windows 2000 
       to Windows Vista.
     o Disable the use of integrated logon if the Network
Provider is 
       called as a result of a non-interactive logon.  The
non-interactive 
       logon does not process the specified LogonScript.  As
a result, 
       the intermediate credential cache file would not be
processed 
       nor cleaned up.
     o Obtained credentials are stored into an API
credential cache 
       whose name is API:<principal>
     o Add a debugging mode which when activated logs to the
Windows 
       Application Event Log.  
       [HKLMSystemCurrentControlSetServicesMIT
KerberosNetworkProvider] 
         DWORD "Debug"
  * Leash32 Library Changes
     o Modify the leash functions to use
krb5_string_to_deltat() to 
       parse ticket_lifetime and renew_lifetime from the
profile.  
       Previously the leash functions expected those fields
to be 
       integer representation of minutes without the use of
any units.  
       This change is for consistency with KFM and the rest
of the krb5 
       library.
     o Modify the private functions acquire_tkt_for_princ()
and 
       acquire_tkt_no_princ() that are called from
gssapi32.dll so that 
       they will work on Windows Vista and so that the
MSLSA: principal 
       is only imported if it matches the default identity
and no 
       credentials for that identity are present.
     o Remove all AFS functionality.



Supported Versions of Microsoft Windows
=======================================

This release requires 32-bit editions of Microsoft Windows
2000 and
higher or the WOW64 environment of 64-bit editions of
Microsoft 
Windows XP and higher.


Microsoft Vista User Account Control (UAC)
==========================================

Microsoft Vista UAC mode prevents accounts that are members
of the
local Administrators group from accessing Kerberos session
keys from
the LSA credentials cache.  The MIT Kerberos MSLSA
krb5_ccache type
will not report the existence of Kerberos tickets which do
not have
valid session keys.  

Users are encouraged to login to Microsoft Vista with
accounts 
that are not members of the local machine Administrators
group in 
order to obtain the best single sign-on experience with MIT
Kerberos
for Windows and Network Identity Manager.


Downloads
=========

Binaries and source code can be downloaded from the MIT
Kerberos web site:
   http://we
b.mit.edu/kerberos/dist/index.html


Acknowledgments
===============

Thanks to Stanford University for funding Secure Endpoints
Inc.'s
implementation of many of the Network Identity Manager user
experience 
improvements including the user configurable default action,
the
revised "Obtain New Credentials" dialog, the new
default application
view, and the improved alert management.

Secure Endpoints Inc. wishes to acknowledge the work of
Asanka Herath
on Network Identity Manager (NIM).  NIM would not be the
same without 
him.  For information on Secure Endpoints Inc.'s future
plans for NIM
please see 

  http://www.secure-endpoints.com/netidmgr/roadmap.html



Important notice regarding Kerberos 4 support
=============================================

In the past few years, several developments have shown the
inadequacy
of the security of version 4 of the Kerberos protocol. 
These
developments have led the MIT Kerberos Team to begin the
process of
ending support for version 4 of the Kerberos protocol.  The
plan
involves the eventual removal of Kerberos 4 support from the
MIT
implementation of Kerberos.

The Data Encryption Standard (DES) has reached the end of
its useful
life.  DES is the only encryption algorithm supported by
Kerberos 4,
and the increasingly obvious inadequacy of DES motivates
the
retirement of the Kerberos 4 protocol.  The National
Institute of
Standards and Technology (NIST), which had previously
certified DES as
a US government encryption standard, has officially
announced[1] the
withdrawal of the Federal Information Processing Standards
(FIPS) for
DES.

NIST's action reflects the long-held opinion of the
cryptographic
community that DES has too small a key space to be secure. 
Breaking
DES encryption by an exhaustive search of its key space is
within the
means of some individuals, many companies, and all major
governments.
Consequently, DES cannot be considered secure for any
long-term keys,
particularly the ticket-granting key that is central to
Kerberos.

Serious protocol flaws[2] have been found in Kerberos 4. 
These flaws
permit attacks which require far less effort than an
exhaustive search
of the DES key space.  These flaws make Kerberos 4
cross-realm
authentication an unacceptable security risk and raise
serious
questions about the security of the entire Kerberos 4
protocol.

The known insecurity of DES, combined with the recently
discovered
protocol flaws, make it extremely inadvisable to rely on the
security
of version 4 of the Kerberos protocol.  These factors
motivate the MIT
Kerberos Team to remove support for Kerberos version 4 from
the MIT
implementation of Kerberos.

The process of ending Kerberos 4 support began with release
1.3 of MIT
Kerberos 5. In release 1.3, the default run-time
configuration of the 
KDC disables support for version 4 of the Kerberos protocol.
Release 1.4
of MIT Kerberos continues to include Kerberos 4 support
(also disabled
in the KDC with the default run-time configuration), but we
intend to 
completely remove Kerberos 4 support from some future
release of MIT 
Kerberos.

The MIT Kerberos Team has ended active development of
Kerberos 4,
except for the eventual removal of all Kerberos 4
functionality.  We
will continue to provide critical security fixes for
Kerberos 4, but
routine bug fixes and feature enhancements are at an end.

We recommend that any sites which have not already done so
begin a
migration to Kerberos 5.  Kerberos 5 provides significant
advantages
over Kerberos 4, including support for strong encryption,
extensibility, improved cross-vendor interoperability, and
ongoing
development and enhancement.

If you have questions or issues regarding migration to
Kerberos 5, we
recommend discussing them on the kerberosmit.edu
mailing list.

                               References

[1] National Institute of Standards and Technology. 
Announcing
     Approval of the Withdrawal of Federal Information
Processing
     Standard (FIPS) 43-3, Data Encryption Standard (DES);
FIPS 74,
     Guidelines for Implementing and Using the NBS Data
Encryption
     Standard; and FIPS 81, DES Modes of Operation.  Federal
Register
     05-9945, 70 FR 28907-28908, 19 May 2005. 
DOCID:fr19my05-45

[2] Tom Yu, Sam Hartman, and Ken Raeburn. The Perils of
     Unauthenticated Encryption: Kerberos Version 4. In
Proceedings of
     the Network and Distributed Systems Security Symposium.
The
     Internet Society, February 2004.
     h
ttp://web.mit.edu/tlyu/papers/krb4peril-ndss04.pdf
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (SunOS)

iQCVAwUBRh1L3abDgE/zdoE9AQI2FAP/QbBEqlUkliDO5UvKzxDJCeti6lWL
qKYe
55HiUijs8UD2egkI42MqwN/YISgwDbrw1QVPg8PdqnNEHNrAHs9dir8Fbhg6
nLAj
TQTjQFIKUxQu43u8E0xkbWYukG5hlzSOZORPVXWOjZeurZC1mibxNaRWiu5h
fZdS
reg8ECwVHzs=
=jGyx
-----END PGP SIGNATURE-----

_______________________________________________
kerberos-announce mailing list
kerberos-announcemit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos-anno
unce
_______________________________________________
krbdev mailing list             krbdevmit.edu
https
://mailman.mit.edu/mailman/listinfo/krbdev
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )