1.62. krb5

Updated krb5 packages that fix several bugs and provide two new features are now available for Red Hat Enterprise Linux 5.

Kerberos is a network authentication system which allows clients and servers to authenticate each other with the help of a trusted third party, the Key Distribution Center (KDC).

This update addresses these issues:

* Servers which were not able to determine to which realm they belonged may have failed to accept authentication from clients. ( BZ#450122)

* Log files were not rotated on KDCs. ( BZ#462658)

* Replicated servers could not use master key stash files generated on a KDC of different endianness. ( BZ#514741)

* Authentication to GSSAPI-enabled FTP servers could have failed if the server was known by multiple names and the client knew the server by a name other than the server's configured host name. ( BZ#538075)

* Some applications that attempted to obtain initial credentials for a user could have crashed if the user's password had expired. ( BZ#555875)

* The default kdc.conf configuration file did not list AES encryption types in the included example. ( BZ#565941)

* When the credentials used to establish a GSSAPI context expired, communication using the context began to fail. ( BZ#605367)

* The Kerberos-aware version of rshd unnecessarily failed if the name of the local user account being accessed was more than 16--but less than 32--characters long. ( BZ#611713)

* The password expiration time recorded in a user entry in a realm database accessed using LDAP was always ignored if the user entry had an associated password policy. ( BZ#627038)

This update also provides these features:

* A realm database can now be stored in an LDAP directory server. ( BZ#514362)

* The k5login_authoritative setting can be used to adjust the logic of the commonly-used krb5_kuserok() function to allow access to a user account when the principal name can be mapped to user's name, but the principal name is not explicitly listed in the user's .k5login file. ( BZ#539423)

Users should upgrade to these updated packages, which resolve these issues and add these enhancements.

Kerberos is a trusted-third-party authentication system in which allows clients and servers to authenticate to each other using symmetric encryption and the trusted third party, the KDC.

The krb5-workstation includes a utility, ksu, which can be used to grant privileged shell access to unprivileged users using Kerberos authentication. It can also be used to grant access to shells running as unprivileged users.

These updated packages resolve the following issues:

* ksu used perform PAM account and session management for the target user after switching to the privileges of the target user. As a result, if that user did not have sufficient privileges, some modules which PAM could be configured to use would not function properly.This update performs PAM account and session management before assuming the privileges of the target user, fixing these bugs. ( BZ#602967 and BZ#615261)

Users of krb5-workstation are advised to upgrade to these updated packages, which resolve these issues.