RHBA-2011:0098 - Bug Fix Advisory

Topic

Updated krb5 packages that fix several bugs and provide two new features are now
available for Red Hat Enterprise Linux 5.

Description

Kerberos is a network authentication system which allows clients and servers to
authenticate each other with the help of a trusted third party, the Key
Distribution Center (KDC).

This update addresses these issues:

• Servers which were not able to determine to which realm they belonged may have

failed to accept authentication from clients. (BZ#450122)

• Log files were not rotated on KDCs. (BZ#462658)
• Replicated servers could not use master key stash files generated on a KDC of

different endianness. (BZ#514741)

• Authentication to GSSAPI-enabled FTP servers could have failed if the server

was known by multiple names and the client knew the server by a name other than
the server's configured host name. (BZ#538075)

• Some applications that attempted to obtain initial credentials for a user

could have crashed if the user's password had expired. (BZ#555875)

• The default kdc.conf configuration file did not list AES encryption types in

the included example. (BZ#565941)

• When the credentials used to establish a GSSAPI context expired, communication

using the context began to fail. (BZ#605367)

• The Kerberos-aware version of rshd unnecessarily failed if the name of the

local user account being accessed was more than 16--but less than 32--characters
long. (BZ#611713)

• The password expiration time recorded in a user entry in a realm database

accessed using LDAP was always ignored if the user entry had an associated
password policy. (BZ#627038)

This update also provides these features:

• A realm database can now be stored in an LDAP directory server. (BZ#514362)
• The k5login_authoritative setting can be used to adjust the logic of the

commonly-used krb5_kuserok() function to allow access to a user account when the
principal name can be mapped to user's name, but the principal name is not
explicitly listed in the user's .k5login file. (BZ#539423)

Users should upgrade to these updated packages, which resolve these issues and
add these enhancements.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 450122 - kprop fails after upgrade from 5.1 to 5.2
• BZ - 462658 - Kerberos server log does not get rotated
• BZ - 514741 - Stash file architecture dependent, when creating slave KDC according to the bug #442879
• BZ - 538075 - Kerberos ticket authentication for ftp and ssh fails over interfaces that don't match the hostname of the server
• BZ - 539423 - pam_krb5 requires self principal to be listed in .k5login
• BZ - 555875 - SLAPD SEGFAULT IN KRB5_GET_INIT_CREDS_PASSWORD
• BZ - 569472 - gssftpd without option "-a" segfaults when using non-existant login
• BZ - 596887 - ksu with pam occasionally fails
• BZ - 605367 - Stop breaking GSS sealed connections at orioginal credentials expiration time
• BZ - 611713 - kshd: locuser too long for usernames >= 16 chars
• BZ - 627038 - Incorrect handling of password expiration

CVEs

(none)

References

(none)