David Maze wrote:
> That's exciting. Digging around, I also have a kinit (and klist, but > not kdestroy) alternative, but /usr/bin/kinit from krb5-user. Using > Blackdown j2se1.4 mirrored from metalab.unc.edu. I don't actually > know how dpkg reacts if one package thinks something is an alternative > and another doesn't; my suspicion is that, since I installed Kerberos > before Java, the real Kerberos won, but I don't actually know. This could be a package mangagement bug, because neiher krb5-user, j2sdk1.4 from Blackdown or Fonseca's j2sdk tells the story of what it overwrites during installation. One does a file, the other a link etc. I've checked some combinations of installing one first and another after. Installing krb5-user last produces the expected result I think. > > The problem seems to be caused by the thing I did yesterday. > > For the first time ever, I installed an unofficial deb, the j2sdk1.4 > > compiled with gcc-3.2, downloaded from jrfonseca.dyndns.org/debian. > > ...but maybe not. True, these files are also in the "official" blackdown packages as you found. > Right, that makes sense. In the ancient days, you asked the KDC for a > TGT, and it handed you back a TGT encrypted in your password; kinit > then took the password you typed in, tried to decrypt it, and if you > succeeded, you were done. But this enabled an attack where you asked > for a TGT, got back something encrypted, knew more-or-less what the > result should look like, and could do an offline dictionary attack. > So now there's an encrypted exchange where you give your password to > the KDC, it checks that the password is correct, and *then* gives you > the encrypted TGT; the "validate password first" step is the > pre-authentication. Aha -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
