From owner-freebsd-security@FreeBSD.ORG Sun Jun 6 10:40:12 2010 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 25A46106566B for ; Sun, 6 Jun 2010 10:40:12 +0000 (UTC) (envelope-from simon@nitro.dk) Received: from mx.nitro.dk (unknown [77.75.165.90]) by mx1.freebsd.org (Postfix) with ESMTP id DAC3C8FC0C for ; Sun, 6 Jun 2010 10:40:11 +0000 (UTC) Received: from arthur.nitro.dk (arthur.bofh [192.168.2.3]) by mx.nitro.dk (Postfix) with ESMTP id 31C712D4E75 for ; Sun, 6 Jun 2010 10:40:11 +0000 (UTC) Received: by arthur.nitro.dk (Postfix, from userid 1000) id 10FB05C19; Sun, 6 Jun 2010 12:40:11 +0200 (CEST) Date: Sun, 6 Jun 2010 12:40:10 +0200 From: "Simon L. Nielsen" To: freebsd-security@FreeBSD.org Message-ID: <20100606104010.GA2923@arthur.nitro.dk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IS0zKkzwUGydFO0o" Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-06-14) Cc: Subject: FreeBSD OpenSSL and CVE-2010-0742 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jun 2010 10:40:12 -0000 --IS0zKkzwUGydFO0o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hey, Just FYI for anybody who might need it. FreeBSD isn't affected by the latest OpenSSL security issues. The issue with the name CVE-2010-1633 isn't relevant as FreeBSD does not yet have OpenSSL 1.0 imported. For CVE-2010-0742 the affected 'CMS' module is not enabled in FreeBSD. References: http://www.openssl.org/news/secadv_20100601.txt http://svn.freebsd.org/viewvc/base/stable/8/secure/lib/libcrypto/Makefile?a= nnotate=3D196045#l329 --=20 Simon L. Nielsen Hat: OpenSSL maintainer --IS0zKkzwUGydFO0o Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iD8DBQFMC3sJBJx0gP90kKsRAsDyAKCEEmbq3LR9e0iIUsOvO3qFkV2kkgCeNpaV ybpL1yZjukv+dzoL66xP0qE= =5zP2 -----END PGP SIGNATURE----- --IS0zKkzwUGydFO0o-- From owner-freebsd-security@FreeBSD.ORG Sun Jun 6 17:10:10 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 410C5106564A for ; Sun, 6 Jun 2010 17:10:10 +0000 (UTC) (envelope-from bf1783@googlemail.com) Received: from mail-ww0-f54.google.com (mail-ww0-f54.google.com [74.125.82.54]) by mx1.freebsd.org (Postfix) with ESMTP id CE7058FC0C for ; Sun, 6 Jun 2010 17:10:08 +0000 (UTC) Received: by wwb22 with SMTP id 22so2703227wwb.13 for ; Sun, 06 Jun 2010 10:10:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:received:reply-to:date :message-id:subject:from:to:content-type; bh=J4D9cENPt8MpF3/xtVwq6VwHerxHZhONWPn02J7HV8M=; b=dLq1TR+FXleHpWRakKBnd5/np+0lY3YfpfYtRX1fafInBIXzkcg1RqJrSgZhoA2ROT x1S5MRkLU6Qvk5/1487iHDbtMEK/jaFI/39EccplYiExF0AyCHiz/4xtafNRezEr8X4G 9RZztAhF9eMHvSLqN+lJiOra9F0UbDn+mLias= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:reply-to:date:message-id:subject:from:to:content-type; b=YbFd1VFKwauvl0zj6+d1dOCNs9k53WdCtUzHeNaCYRB/gHMshwZ2Qfi+mAE0cfAeAy cJGproyYeCVn+XgD7aC7ssQjgqdXeaBj3aT8r1txNPmZEQsqGZAh9X4oiB/jzhIrbPgL kTBfFQz9/LRjQ8c0zp+20ozVPMkRe7W+kkZR4= MIME-Version: 1.0 Received: by 10.216.93.2 with SMTP id k2mr1504906wef.56.1275842519840; Sun, 06 Jun 2010 09:41:59 -0700 (PDT) Received: by 10.216.183.5 with HTTP; Sun, 6 Jun 2010 09:41:59 -0700 (PDT) Date: Sun, 6 Jun 2010 16:41:59 +0000 Message-ID: From: "b. f." To: freebsd-current@freebsd.org, freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Mailman-Approved-At: Sun, 06 Jun 2010 17:55:44 +0000 Cc: Subject: Our aging base system heimdal X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: bf1783@gmail.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jun 2010 17:10:10 -0000 Is anybody planning to update the base system heimdal, which has been largely untouched since May 2008? In addition to the many other bug-fixes and improvements in the current version 1.3.3 (see, for example: http://www.h5l.org/releases.html ), there are patches for heimdal vulnerabilities 2010-05-27 and 2010-03-21 (CVE-2010-1321), which are described at: http://www.h5l.org/advisories.html Others have mentioned that they have problems using our base system heimdal -- problems that cannot be easily circumvented by rebuilding WITHOUT_KERBEROS, and using security/krb5 (security/heimdal is badly outdated), because this leaves various dependent base system utilities behind, if they are not modified. Regards, b. From owner-freebsd-security@FreeBSD.ORG Sun Jun 6 19:05:04 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BAE531065676 for ; Sun, 6 Jun 2010 19:05:04 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (hergotha.csail.mit.edu [66.92.79.170]) by mx1.freebsd.org (Postfix) with ESMTP id 6CE5F8FC12 for ; Sun, 6 Jun 2010 19:05:04 +0000 (UTC) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.14.3/8.14.3) with ESMTP id o56J53Qx026335; Sun, 6 Jun 2010 15:05:03 -0400 (EDT) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.14.3/8.14.3/Submit) id o56J52lp026332; Sun, 6 Jun 2010 15:05:02 -0400 (EDT) (envelope-from wollman) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <19467.61790.690469.182207@hergotha.csail.mit.edu> Date: Sun, 6 Jun 2010 15:05:02 -0400 From: Garrett Wollman To: bf1783@gmail.com In-Reply-To: References: X-Mailer: VM 7.17 under 21.4 (patch 22) "Instant Classic" XEmacs Lucid X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (hergotha.csail.mit.edu [127.0.0.1]); Sun, 06 Jun 2010 15:05:03 -0400 (EDT) X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED autolearn=disabled version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on hergotha.csail.mit.edu X-Mailman-Approved-At: Sun, 06 Jun 2010 19:15:35 +0000 Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Our aging base system heimdal X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jun 2010 19:05:04 -0000 < said: > Is anybody planning to update the base system heimdal, which has been > largely untouched since May 2008? I would love for it to go away entirely, and those base-system components that depend on it to learn how to use either Kerberos implementation from ports. (I'd also love for the ancient and broken base version of libcom_err to go away -- there's no knob to turn it off, and the shared library conflicts with ports/krb5.) (And yes, this is a bit of an irony considering that I used to be the maintainer of the base-system Kerberos code in the long-ago krb4 days. But my job requires me to administer MIT Kerberos, so I need the MIT kadmin utility and not the Heimdal one.) -GAWollman From owner-freebsd-security@FreeBSD.ORG Sun Jun 6 19:32:41 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9CE1C1065677; Sun, 6 Jun 2010 19:32:41 +0000 (UTC) (envelope-from lyndon@orthanc.ca) Received: from orthanc.ca (ve6bbm-1-pt.tunnel.tserv13.ash1.ipv6.he.net [IPv6:2001:470:7:139::2]) by mx1.freebsd.org (Postfix) with ESMTP id 559958FC1B; Sun, 6 Jun 2010 19:32:41 +0000 (UTC) Received: from orthanc.ca (localhost4 [127.0.0.1]) by orthanc.ca (8.14.3/8.14.3) with ESMTP id o56JWZlg033401 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 6 Jun 2010 13:32:35 -0600 (MDT) (envelope-from lyndon@orthanc.ca) Received: (from uucp@localhost) by orthanc.ca (8.14.3/8.14.3/Submit) with UUCP id o56JWZZC033400; Sun, 6 Jun 2010 12:32:35 -0700 (PDT) (envelope-from lyndon@orthanc.ca) Received: from legolas (legolas [172.16.0.4]) (authenticated bits=0) by legolas.orthanc.ca (8.14.4/8.14.4) with ESMTP id o56JWXak075644 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 6 Jun 2010 12:32:33 -0700 (PDT) (envelope-from lyndon@orthanc.ca) Date: Sun, 6 Jun 2010 12:32:33 -0700 (PDT) From: Lyndon Nerenberg To: Garrett Wollman In-Reply-To: <19467.61790.690469.182207@hergotha.csail.mit.edu> Message-ID: References: <19467.61790.690469.182207@hergotha.csail.mit.edu> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) Organization: The Frobozz Magic Homing Pigeon Company MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: Our aging base system krb5 [heimdal] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jun 2010 19:32:41 -0000 > (And yes, this is a bit of an irony considering that I used to be the > maintainer of the base-system Kerberos code in the long-ago krb4 > days. But my job requires me to administer MIT Kerberos, so I need > the MIT kadmin utility and not the Heimdal one.) Aren't the reasons for the Heimdal distribution moot these days? Beyond that, Free is one of the few UNIXen I cannot talk to (or from!) using Kerberos for things like SSH, rlogin, rdist, etc. We're woefully behind Solaris, Linux, even Windows, when it comes to integrated GSSAPI/K5 SSO authentication. --lyndon From owner-freebsd-security@FreeBSD.ORG Sun Jun 6 19:36:01 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 29B8C106566C for ; Sun, 6 Jun 2010 19:36:01 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.freebsd.org (Postfix) with ESMTP id B53388FC1C for ; Sun, 6 Jun 2010 19:36:00 +0000 (UTC) Received: (qmail 11331 invoked by uid 399); 6 Jun 2010 19:36:00 -0000 Received: from localhost (HELO foreign.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 6 Jun 2010 19:36:00 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <4C0BF89F.90908@FreeBSD.org> Date: Sun, 06 Jun 2010 12:35:59 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.1.9) Gecko/20100330 Thunderbird/3.0.4 MIME-Version: 1.0 To: Lyndon Nerenberg References: <19467.61790.690469.182207@hergotha.csail.mit.edu> In-Reply-To: X-Enigmail-Version: 1.0.1 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org, Garrett Wollman Subject: Re: Our aging base system krb5 [heimdal] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jun 2010 19:36:01 -0000 On 06/06/10 12:32, Lyndon Nerenberg wrote: > Beyond that, Free is one of the few UNIXen I cannot talk to (or from!) > using Kerberos for things like SSH, rlogin, rdist, etc. We're woefully > behind Solaris, Linux, even Windows, when it comes to integrated > GSSAPI/K5 SSO authentication. ... and it's not going to get any better till someone steps up and volunteers to improve it. Can we count on you? Doug -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ From owner-freebsd-security@FreeBSD.ORG Sun Jun 6 19:46:14 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CCF1D1065670; Sun, 6 Jun 2010 19:46:14 +0000 (UTC) (envelope-from lyndon@orthanc.ca) Received: from orthanc.ca (ve6bbm-1-pt.tunnel.tserv13.ash1.ipv6.he.net [IPv6:2001:470:7:139::2]) by mx1.freebsd.org (Postfix) with ESMTP id 7DB6B8FC0C; Sun, 6 Jun 2010 19:46:14 +0000 (UTC) Received: from orthanc.ca (localhost4 [127.0.0.1]) by orthanc.ca (8.14.3/8.14.3) with ESMTP id o56Jk9CB033758 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 6 Jun 2010 13:46:09 -0600 (MDT) (envelope-from lyndon@orthanc.ca) Received: (from uucp@localhost) by orthanc.ca (8.14.3/8.14.3/Submit) with UUCP id o56Jk9KK033757; Sun, 6 Jun 2010 12:46:09 -0700 (PDT) (envelope-from lyndon@orthanc.ca) Received: from legolas (legolas [172.16.0.4]) (authenticated bits=0) by legolas.orthanc.ca (8.14.4/8.14.4) with ESMTP id o56Jk7Jn076030 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 6 Jun 2010 12:46:07 -0700 (PDT) (envelope-from lyndon@orthanc.ca) Date: Sun, 6 Jun 2010 12:46:07 -0700 (PDT) From: Lyndon Nerenberg To: Doug Barton In-Reply-To: <4C0BF89F.90908@FreeBSD.org> Message-ID: References: <19467.61790.690469.182207@hergotha.csail.mit.edu> <4C0BF89F.90908@FreeBSD.org> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) Organization: The Frobozz Magic Homing Pigeon Company MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org, Garrett Wollman Subject: Re: Our aging base system krb5 [heimdal] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jun 2010 19:46:14 -0000 > ... and it's not going to get any better till someone steps up and volunteers > to improve it. Can we count on you? I've brought this up at least three times over the past 10(+?) years, and been blown off every time. So yes, I'm volunteering, again. Can I count on you? --lyndon From owner-freebsd-security@FreeBSD.ORG Sun Jun 6 19:49:01 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CD3001065677 for ; Sun, 6 Jun 2010 19:49:01 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.freebsd.org (Postfix) with ESMTP id 576E18FC17 for ; Sun, 6 Jun 2010 19:49:01 +0000 (UTC) Received: (qmail 30446 invoked by uid 399); 6 Jun 2010 19:49:00 -0000 Received: from localhost (HELO foreign.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 6 Jun 2010 19:49:00 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <4C0BFBAB.9030808@FreeBSD.org> Date: Sun, 06 Jun 2010 12:48:59 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.1.9) Gecko/20100330 Thunderbird/3.0.4 MIME-Version: 1.0 To: Lyndon Nerenberg References: <19467.61790.690469.182207@hergotha.csail.mit.edu> <4C0BF89F.90908@FreeBSD.org> In-Reply-To: X-Enigmail-Version: 1.0.1 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org, Garrett Wollman Subject: Re: Our aging base system krb5 [heimdal] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jun 2010 19:49:01 -0000 On 06/06/10 12:46, Lyndon Nerenberg wrote: >> ... and it's not going to get any better till someone steps up and >> volunteers to improve it. Can we count on you? > > I've brought this up at least three times over the past 10(+?) years, > and been blown off every time. So yes, I'm volunteering, again. Great! I'm assuming that this list is the best one to send your patches to. You might want to discuss the general direction you'd like to take the code first so that people can have a chance to raise any red flags before you invest a lot of time in it. Doug -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ From owner-freebsd-security@FreeBSD.ORG Sun Jun 6 20:15:37 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A8EE9106582B; Sun, 6 Jun 2010 20:15:37 +0000 (UTC) (envelope-from bf1783@googlemail.com) Received: from mail-ww0-f54.google.com (mail-ww0-f54.google.com [74.125.82.54]) by mx1.freebsd.org (Postfix) with ESMTP id CF6918FC18; Sun, 6 Jun 2010 20:15:36 +0000 (UTC) Received: by wwb22 with SMTP id 22so2800713wwb.13 for ; Sun, 06 Jun 2010 13:15:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:received:reply-to :in-reply-to:references:date:message-id:subject:from:to:cc :content-type; bh=vyu6yUV6/bOp6kcK940aVXgFEm0at7jm5a0e0+Q8eZM=; b=qsTsJjWL7gANzXdnEdx/JZRdqoP/748xspJyVvbgsZvlLR71TBe5krSBBeTVZENypL cgKP+os5kFEV82uHmnldOQcsVmM+SdIwO7IF21bpoeOfOirP02pQ1p8cWZAF60ME5nUs FHIAvASNfJVoic+b7A65aPGIZFCjKvd4EL8Nk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; b=ppBapDU7MJ1jRlLpgdrGnPdA+NLmWroFVnkQ5VwtTXCuhWxuKjmzpRrClBcPDyOrt3 F00l4fasX2ym2QS37Rlwt3nMy8sXNRVwPJHfEAP0oCgCbrNKJ7UD7VhWcyXZkrKMenyS gwjzYAvUzpS7+Cu1DAyuZYq5j0kxlf5ekiIsc= MIME-Version: 1.0 Received: by 10.216.88.85 with SMTP id z63mr1620519wee.105.1275855333856; Sun, 06 Jun 2010 13:15:33 -0700 (PDT) Received: by 10.216.183.5 with HTTP; Sun, 6 Jun 2010 13:15:33 -0700 (PDT) In-Reply-To: <4C0BFBAB.9030808@FreeBSD.org> References: <19467.61790.690469.182207@hergotha.csail.mit.edu> <4C0BF89F.90908@FreeBSD.org> <4C0BFBAB.9030808@FreeBSD.org> Date: Sun, 6 Jun 2010 20:15:33 +0000 Message-ID: From: "b. f." To: Doug Barton Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org, Lyndon Nerenberg , Garrett Wollman Subject: Re: Our aging base system krb5 [heimdal] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: bf1783@gmail.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jun 2010 20:15:37 -0000 >I would love for it to go away entirely, and those base-system >components that depend on it to learn how to use either Kerberos >implementation from ports. (I'd also love for the ancient and broken >base version of libcom_err to go away -- there's no knob to turn it >off, and the shared library conflicts with ports/krb5.) I think that would please a lot of people -- but is the project still committed to having a Kerberos implementation as one of a few important applications in the base system, so that users don't have to rely upon ports? Would relegating it to ports mean that Kerberos would be disabled by default in base system utilities, so that the base system is self-hosting? What incompatibilities exist between that latest versions of the MIT Kerberos and Heimdal implementations? How does des@ feel about it, since libpam and openssh may have to be altered? b. From owner-freebsd-security@FreeBSD.ORG Sun Jun 6 20:33:18 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6F1A11065674; Sun, 6 Jun 2010 20:33:18 +0000 (UTC) (envelope-from jos@catnook.com) Received: from mail-yw0-f182.google.com (mail-yw0-f182.google.com [209.85.211.182]) by mx1.freebsd.org (Postfix) with ESMTP id 1DE718FC08; Sun, 6 Jun 2010 20:33:17 +0000 (UTC) Received: by ywh12 with SMTP id 12so1776924ywh.14 for ; Sun, 06 Jun 2010 13:33:17 -0700 (PDT) MIME-Version: 1.0 Received: by 10.150.61.9 with SMTP id j9mr12723215yba.388.1275854952043; Sun, 06 Jun 2010 13:09:12 -0700 (PDT) Received: by 10.151.112.19 with HTTP; Sun, 6 Jun 2010 13:09:11 -0700 (PDT) Received: by 10.151.112.19 with HTTP; Sun, 6 Jun 2010 13:09:11 -0700 (PDT) In-Reply-To: <19467.61790.690469.182207@hergotha.csail.mit.edu> References: <19467.61790.690469.182207@hergotha.csail.mit.edu> Date: Sun, 6 Jun 2010 13:09:11 -0700 Message-ID: From: Jos Backus To: Garrett Wollman X-Mailman-Approved-At: Sun, 06 Jun 2010 20:48:34 +0000 Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: bf1783@gmail.com, freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: Our aging base system heimdal X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jun 2010 20:33:18 -0000 Any chance the kadmin protocol will ever be standardized? Jos On Jun 6, 2010 12:28 PM, "Garrett Wollman" wrote: < said: > Is anybody planning to... I would love for it to go away entirely, and those base-system components that depend on it to learn how to use either Kerberos implementation from ports. (I'd also love for the ancient and broken base version of libcom_err to go away -- there's no knob to turn it off, and the shared library conflicts with ports/krb5.) (And yes, this is a bit of an irony considering that I used to be the maintainer of the base-system Kerberos code in the long-ago krb4 days. But my job requires me to administer MIT Kerberos, so I need the MIT kadmin utility and not the Heimdal one.) -GAWollman _______________________________________________ freebsd-current@freebsd.org mailing list http://lis... From owner-freebsd-security@FreeBSD.ORG Mon Jun 7 14:37:09 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8C7391065674; Mon, 7 Jun 2010 14:37:09 +0000 (UTC) (envelope-from dfr@rabson.org) Received: from mail-gw0-f54.google.com (mail-gw0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 2F89B8FC08; Mon, 7 Jun 2010 14:37:08 +0000 (UTC) Received: by gwj20 with SMTP id 20so516535gwj.13 for ; Mon, 07 Jun 2010 07:37:08 -0700 (PDT) MIME-Version: 1.0 Received: by 10.229.234.3 with SMTP id ka3mr2282584qcb.261.1275920127521; Mon, 07 Jun 2010 07:15:27 -0700 (PDT) Received: by 10.220.200.72 with HTTP; Mon, 7 Jun 2010 07:15:27 -0700 (PDT) In-Reply-To: References: <19467.61790.690469.182207@hergotha.csail.mit.edu> Date: Mon, 7 Jun 2010 15:15:27 +0100 Message-ID: From: Doug Rabson To: Jos Backus X-Mailman-Approved-At: Mon, 07 Jun 2010 15:35:35 +0000 Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: bf1783@gmail.com, freebsd-security@freebsd.org, freebsd-current@freebsd.org, Garrett Wollman Subject: Re: Our aging base system heimdal X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jun 2010 14:37:09 -0000 On 6 June 2010 21:09, Jos Backus wrote: > Any chance the kadmin protocol will ever be standardized? > > My understanding is that the MIT kadmin protocol is based GSS-API authenticated RPC which FreeBSD didn't support until recently. I added working RPCSEC_GSS to our userland RPC library in 2008 and it should be available in FreeBSD 8.x and later. In theory, if MIT actually document their protocol, it should be reasonably straightforward to support it. I doubt if I will be able to do the work either for this or for upgrading heimdal. From owner-freebsd-security@FreeBSD.ORG Mon Jun 7 18:42:23 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3E98D1065675 for ; Mon, 7 Jun 2010 18:42:23 +0000 (UTC) (envelope-from jos@catnook.com) Received: from b.mail.sonic.net (b.mail.sonic.net [64.142.19.5]) by mx1.freebsd.org (Postfix) with ESMTP id 9D1228FC17 for ; Mon, 7 Jun 2010 18:42:22 +0000 (UTC) Received: from lizzy.dyndns.org (209-204-188-132.dsl.static.sonic.net [209.204.188.132]) by b.mail.sonic.net (8.13.8.Beta0-Sonic/8.13.7) with SMTP id o57IStw2030332 for ; Mon, 7 Jun 2010 11:28:56 -0700 Received: (qmail 95777 invoked by uid 1000); 7 Jun 2010 18:29:19 -0000 Date: Mon, 7 Jun 2010 11:29:19 -0700 From: Jos Backus To: Doug Rabson Message-ID: <20100607182919.GB25163@lizzy.catnook.local> References: <19467.61790.690469.182207@hergotha.csail.mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-06-14) X-Mailman-Approved-At: Mon, 07 Jun 2010 19:08:01 +0000 Cc: bf1783@gmail.com, freebsd-security@freebsd.org, freebsd-current@freebsd.org, Garrett Wollman Subject: Re: Our aging base system heimdal X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jos@catnook.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jun 2010 18:42:23 -0000 On Mon, Jun 07, 2010 at 03:15:27PM +0100, Doug Rabson wrote: > On 6 June 2010 21:09, Jos Backus wrote: > > > Any chance the kadmin protocol will ever be standardized? > > > > > My understanding is that the MIT kadmin protocol is based GSS-API > authenticated RPC which FreeBSD didn't support until recently. I added > working RPCSEC_GSS to our userland RPC library in 2008 and it should be > available in FreeBSD 8.x and later. In theory, if MIT actually document > their protocol, it should be reasonably straightforward to support it. I > doubt if I will be able to do the work either for this or for upgrading > heimdal. Thanks, Doug. It would be great if the Heimdal and MIT folks would cooperate on this standardization/documentation effort, but perhaps it's not seen as a priority. -- Jos Backus jos at catnook.com From owner-freebsd-security@FreeBSD.ORG Mon Jun 7 19:43:07 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2582C1065676 for ; Mon, 7 Jun 2010 19:43:07 +0000 (UTC) (envelope-from lx@redundancy.redundancy.org) Received: from redundancy.redundancy.org (75-101-96-57.dsl.static.sonic.net [75.101.96.57]) by mx1.freebsd.org (Postfix) with SMTP id C2B5F8FC25 for ; Mon, 7 Jun 2010 19:43:06 +0000 (UTC) Received: (qmail 20000 invoked by uid 1001); 6 Jun 2010 23:59:57 -0000 Date: Sun, 6 Jun 2010 16:59:57 -0700 From: "David E. Thiel" To: freebsd-security@freebsd.org, freebsd-current@freebsd.org Message-ID: <20100606235957.GE3022@redundancy.redundancy.org> References: <19467.61790.690469.182207@hergotha.csail.mit.edu> <4C0BF89F.90908@FreeBSD.org> <4C0BFBAB.9030808@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-OpenPGP-Key-fingerprint: 482A 8C46 C844 7E7C 8CBC 2313 96EE BEE5 1F4B CA13 X-OpenPGP-Key-available: http://redundancy.redundancy.org/lx.gpg X-Face: %H~{$1~NOw1y#%mM6{|4:/ List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jun 2010 19:43:07 -0000 On Sun, Jun 06, 2010 at 08:15:33PM +0000, b. f. wrote: > What incompatibilities exist between that latest versions of the MIT > Kerberos and Heimdal implementations? How does des@ feel about it, > since libpam and openssh may have to be altered? My experience is a few years old, but last time I tried working with them together, I found the protocol used by kadmin was incompatible between the two implementations.