Re: Upcoming KfW 3.x ??

[Jeff Blaine]

> MIT KFW 3.2.3 Alpha (which I can no longer find on the MIT web site) roughly
> equates to the distribution Secure Endpoints has been shipping to it
> clients.

FWIW

http://web.mit.edu/kerberos/dist/testing.html#kfw-3.2.3

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Disabling .k5login

[Aleksandr Levchuk]

Dear Kerberos Support,

The .k5login file in ones home directory gives user A and ability to let
other users (say user B) to log-in to the system as user A.

This could be a nice feature because users can give others
access to their account without sharing their password.

Also, ~~who logs-in as who~~ is reflected in krb5kdc.log, like this:
Jan  7 16:16:23 hostname sshd[12143]: Authorized to usera, krb5
principal us...@realm.smthng.edu (krb5_kuserok)



I recently had a funny situation where an old user was trying to help
a new user by doing something like:
  olduser$  scp ~/.* newu...@host:

To share all the dot files.

But effectively locked-out the new user because the new user's line
got kicked out of .k5login



Is there a way to re-configure MIT Kerberos to disable the .k5login feature?

Alex

-- 
---
Aleksandr Levchuk
Homepage: http://biocluster.ucr.edu/~alevchuk/
Cell Phone: (951) 368-0004

Bioinformatic Systems and Databases
Lab Phone: (951) 905-5232

Institute for Integrative Genome Biology
University of California, Riverside
---

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: openssh + kerberos + windows ad

[Christopher D. Clausen]

Marcello Mezzanotti  wrote:
> On Wed, Jan 6, 2010 at 12:30 PM, Bob Rasmussen  wrote:

>> 1) What version(s) of PuTTY work in your environment? Did you try the
>> developer's build from the official PuTTY site?
>
> http://sweb.cz/v_t_m/putty/PuTTY-0.58-GSSAPI-2005-07-24.zip
>
> i tested another clients that worked too, but this is the only one
> that i got tickets (klist on linux). i didnt have time to test other
> krb5.conf options.

Note that when using SSPI credentials, you generally will NOT get 
"delegated" tickets on the remote system due to AD's security model. 
You need to mess around with "trusted for delegation" settings on the AD 
computer account in question to enable credential delegation when using 
SSPI and not KfW.

If you copy tickets from SSPI to KfW (using ms2mit.exe or similar) then 
this problem goes away.

Additionally, SSPI doesn't handle realm trusts the same way that KfW 
does.  Sometimes SSPI is better (mainly for trusts between Windows 
realms) and sometimes the KfW behaviour is better (in my case for trusts 
from AD to non-AD realms.)

The trick is to know what programs use which API and properly configure 
it the way you need it to work.

-

I'll also again mention this version of putty:
http://matthew.loar.name/software/putty/

Re: KfW 64bit plus 32bit apps

[Jeffrey Altman]

On 1/7/2010 3:17 PM, Nikolay Shopik wrote:
> Hello,
>
> Does 64bit version of KfW work with 32bit version app? Because for me 
> looks like 64bit version doesn't work with 32bit apps.
KFW 64-bit is for 64-bit applications.   For 32-bit (WOW64) applications
you install the 32-bit KFW on the 64-bit Windows machine.
Both the 32-bit and 64-bit KFW libraries will share a single credentials
cache server.

Jeffrey Altman



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: KfW 64bit plus 32bit apps

[Christopher D. Clausen]

Nikolay Shopik  wrote:
> Hello,
>
> Does 64bit version of KfW work with 32bit version app? Because for me
> looks like 64bit version doesn't work with 32bit apps.

No.  Just install both the 32-bit and 64-bit versions to support both 
32-bit and 64-bit apps.

And last I tried it, the order they were installed mattered as one 
version would uninstall the other, but I don't remember which was which.

KfW 64bit plus 32bit apps

[Nikolay Shopik]

Hello,

Does 64bit version of KfW work with 32bit version app? Because for me 
looks like 64bit version doesn't work with 32bit apps.


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Upcoming KfW 3.x ??

[Jeffrey Altman]

On 1/7/2010 2:38 PM, Jeff Blaine wrote:
>>> I'd love to be a tester, but unfortunately I need to run the
>>> version our users have in order to troubleshoot things.
>> Without being a tester, you won't be able to ensure that the next
>> release works
>> the way you want it to in your environment.   Unless you are providing
>> funding or
>> some in-kind assistance in the development, why should I spend my time
>> answering
>> your e-mails when you have trouble?
>
> I guess you shouldn't (?)
>
> Perhaps you could explain Secure Endpoints' role in KFW
> development?  Last I heard from a link on your website,
> MIT was hiring a full-time developer for KFW.  Did that
> not happen?

Secure Endpoints does not have a role with regards to MIT's distribution
at the present time.  We support a private distribution of KFW for our
support
customers that has provided 64-bit and Vista/2008 (and now Win7/2008-R2)
support
for some time.   Patches that we have implemented have been given to
MIT.  However,
we are not involved in their release process. 

MIT KFW 3.2.3 Alpha (which I can no longer find on the MIT web site) roughly
equates to the distribution Secure Endpoints has been shipping to it
clients.

> If I install NIMv2 and report in detail on what I find in
> our environment, does that give me credits to use?
It would be a start.  Thank you for the beer money as well.

>>> Another aside, what release will have krb4 cred obtaining
>>> disabled by default?
>>
>> Any release you want.  As I have said before, you can use a transform to
>> configure
>> the MSI installer to disable Kerberos v4.   You can do this today
>
> I am asking when the decision might be made to turn it off by
> default in the master distribution, of course.  I already saw
> and read your previous response.

64-bit distributions of MIT KFW do not include Kerberos v4 at all.   At
this point if I were
to issue a significant update (for example a bundle of Network Identity
Manager v2 and
Kerberos v5 1.8) I would leave it out on 32-bit platforms as well.  
Kerberos v4 support
should continue to be available as a separate distribution for those
sites that require it.
However, to my knowledge neither MIT Kerberos 1.7 nor the 1.8 which was
announced
today builds on Windows. 

The annual cost of developing MIT Kerberos for Windows and Network
Identity Manager
is roughly $175,000.   The vast majority of the work that Secure
Endpoints has done on
NIM over the last two years has been unfunded.   I suspect the reason
that the MIT Kerberos
Consortium has not focused significant energy on the Windows platform is
because their
commercial board members (Microsoft, Red Hat, and Sun Microsystems) are
not interested
in financing the development of the MIT APIs on the Windows platform. 
Microsoft has a
strong interest in seeing applications use the Win32 API (SSPI) and the
Unix/Linux vendors
might interpret funding Windows development as counter to their interests.

I happen to believe that ensuring the viability of the GSS and MIT
Kerberos APIs on the
Windows platform is absolutely in the best interest of the Unix/Linux
vendors because
it ensures that application developers will take the cross platform
approach instead of
locking themselves onto the Windows platform by using the SSPI
exclusively.  Failure
to provide support for new functionality on the Windows platform makes
it much more
difficult to adopt that functionality on Unix/Linux.   Security solution
availability needs to be
ubiquitous.  Otherwise, the solutions cannot be deployed.

Jeffrey Altman



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Upcoming KfW 3.x ??

[Jeff Blaine]

>> I'd love to be a tester, but unfortunately I need to run the
>> version our users have in order to troubleshoot things.
> Without being a tester, you won't be able to ensure that the next
> release works
> the way you want it to in your environment.   Unless you are providing
> funding or
> some in-kind assistance in the development, why should I spend my time
> answering
> your e-mails when you have trouble?

I guess you shouldn't (?)

Perhaps you could explain Secure Endpoints' role in KFW
development?  Last I heard from a link on your website,
MIT was hiring a full-time developer for KFW.  Did that
not happen?

If I install NIMv2 and report in detail on what I find in
our environment, does that give me credits to use?

>> Aside, is there a reason for the 2-step credential obtaining
>> process where the account is 'checked' then one is given a
>> password text entry field?  It's clunky to interact with.
> In NIM v1.x the account's existence is verified before prompting for a
> password in
> order to protect against users that typo the username or realm and
> created an
> identity in the database that in fact does not exist.
>
> In NIM v2, identities are created by a wizard that walks the user
> through the
> configuration of all applicable credential providers.  After the
> identity is created
> the user simply selects one of the pre-configured ones instead of manually
> typing the username and realm each time.   This change is both to
> improve usability
> but also to permit NIM v2 to be used with X.509 and Keystore identities in
> addition to Kerberos v5.

Great.

>> Another aside, what release will have krb4 cred obtaining
>> disabled by default?
>
> Any release you want.  As I have said before, you can use a transform to
> configure
> the MSI installer to disable Kerberos v4.   You can do this today

I am asking when the decision might be made to turn it off by
default in the master distribution, of course.  I already saw
and read your previous response.

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Pending "gss_init_sec_context() failed: Unspecified GSS failure...."

[Russ Allbery]

Sylvain RICHET  writes:

> I really don't succeed to solve this error message !  Seems to be a GSS
> API ?  A communication problem between NegotiateAuth (pluggued in
> Firefox) dans the underlying GSS API library (libgssapi-krb5-2 ?) ?

> The authentication process succeeds (as configured in "mod_auth_kerb")
> but...

>   1) the NegotiateAuth log traces this error "gss_init_sec_context()
> failed: Unspecified GSS failure"

Which meansn that SPNEGO failed.

>   2) Using WireShark, i can't find any SPNEGO ticket in the data sent
> by Firefox to webserver after authentication

Which also supports that SPNEGO failed.

> -1217141024[b742e1c0]: gss_init_sec_context() failed: Unspecified GSS
> failure.  Minor code may provide more information
> SPNEGO cannot find mechanisms to negotiate

This implies to me that either the server didn't offer Kerberos GSSAPI as
an SPNEGO mechanism or the client browser didn't have the libraries
required to do Kerberos GSSAPI.

> [Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(1579): [client
> 192.168.100.237] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(1023): [client
> 192.168.100.237] Using WEB/kwebapp.beeware@beeware.org as server
> principal for password verification

The server didn't do GSSAPI -- it did Basic Auth authentication and then
verified the password with Kerberos.  If you're happy with that, nothing
need change, but you're not actually doing SPNEGO or Negotiate-Auth and
you're exposing the account password to the web server.

Your KDC log supports that this is what is happening and shows no service
principal request from the browser, which indicates that it never got far
enough in the Negotiate-Auth dialog to even attempt authentication.

-- 
Russ Allbery (r...@stanford.edu) 

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Odd problem with Active Directory

[RJT]

On Dec 17 2009, 2:30 pm, Jeffrey Watts 
wrote:
> Thanks a lot Michael, that worked!
>
> I'm still not sure why some systems would get the aes256 encrypted answer
> and others not?  It seems very odd.  They have all the same versions of
> Samba and Kerberos, and I'm having a hard time figuring out why they'd be
> different.
>
> Also, is this an ideal solution going forward?  How much longer will ArcFour
> be supported?
>
> Jeffrey.
>
>
>
> On Thu, Dec 17, 2009 at 2:48 AM, Michael Calmer  wrote:
>
> > I think your problem is the aes256 enctype. Windows2008 support this
> > enctype,
> > Windows2003 not.
>
> > The keytab is created by samba and samba only write the two "des" and the
> > "rc4-hmac" enctype into the keytab.
>
> > kinit -k tell the Windows server that it supports aes256 and Windows2008
> > respond with an encrypted answer using this ecntype. But kinit do not find
> > this key in your keytab and cannot decrypt the answer.
> > This would explains the error:
>
> >  kinit(v5): Key table entry not found while getting initial credentials
>
> > One solution would be to tell the Windows Server, that your kerberos
> > installation do not support aes.
>
> > [libdefaults]
> >    ...
> >    default_tkt_enctypes = arcfour-hmac-md5des-cbc-crcdes-cbc-md5
> >    default_tgs_enctypes = arcfour-hmac-md5des-cbc-crcdes-cbc-md5
>
> > I hope this helps.
>
> --
>
> "He that would make his own liberty secure must guard even his enemy from
> oppression; for if he violates this duty he establishes a precedent that
> will reach to himself." -- Thomas Paine

So did you get this working by setting supported enctypes on the
client using
 msDS-SupportedEncryptionTypes?  Please give details.

i am troubled that setting enctypes in /etc/krb5.conf but then
/var/cache/samba/smb_krb5/krb5.conf.NBDOMAINAME
will have weaker enctypes.

For each user account in "Active Directory Users and Computers",
you can specify to allow DES in a dropdown checkbox list.  So i
do not understand why DES would be offered as an enctype if
that ~"allow des checkbox" is not enabled.  This DES checkbox
is not enabled by default on our mixed Win2000 / Win2003 domain,
but des_cbc_xxx shows up in the /var/cache/samba/smb_krb5/ conf.

Maybe it has something with different use scenarios as
in Machine Joins may accept DES but user level encryption does not?
The kdc may not accept DES Ticket Requests for user authentication but
may
accept DES for some other kerberos operation such as
a service request to print to the printer.

conpiracy theory scenario: i wonder if MS clients know
not to use DES so even when DES is listed as enctype,
the MS client knows not to use it.

The OP asked about a book.  i do not know of a book
but found an inexpensive workshop via irc #kerberos.
http://workshop.openafs.org/afsbpw10/registration.html





Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Pending "gss_init_sec_context() failed: Unspecified GSS failure...."

[Sylvain RICHET]

I really don't succeed to solve this error message !
Seems to be a GSS API ?
A communication problem between NegotiateAuth (pluggued in Firefox)
dans the underlying GSS API library (libgssapi-krb5-2 ?) ?


The authentication process succeeds (as configured in "mod_auth_kerb")
but...

1) the NegotiateAuth log traces this error "gss_init_sec_context()
failed: Unspecified GSS failure"
2) Using WireShark, i can't find any SPNEGO ticket in the data sent
by Firefox to webserver after authentication


I browse a lot, and found many posts relative to gss_init_sec_context
() and the error msg.
But it didn't help me: given workarounds don't match my problem.


# ON BROWSER SIDE
-

> tail -f /tmp/negotiateauth.log

-1217141024[b742e1c0]:   service = kwebapp.beeware.org
-1217141024[b742e1c0]:   using negotiate-gss
-1217141024[b742e1c0]: entering nsAuthGSSAPI::nsAuthGSSAPI()
-1217141024[b742e1c0]: Attempting to load gss functions
-1217141024[b742e1c0]: entering nsAuthGSSAPI::Init()
-1217141024[b742e1c0]: nsHttpNegotiateAuth::GenerateCredentials()
[challenge=Negotiate]
-1217141024[b742e1c0]: entering nsAuthGSSAPI::GetNextToken()
-1217141024[b742e1c0]: gss_init_sec_context() failed: Unspecified GSS
failure.  Minor code may provide more information
SPNEGO cannot find mechanisms to negotiate
-1217141024[b742e1c0]:   leaving nsAuthGSSAPI::GetNextToken
[rv=80004005]

==>
==> As you can see, the problem is : "gss_init_sec_context() failed:
Unspecified GSS failure"
==>



# ON APACHE SIDE
-

> tail -f /var/log/apache2/error.log

[Thu Jan 07 11:17:05 2010] [debug] src/mod_auth_kerb.c(1579): [client
192.168.100.237] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Thu Jan 07 11:17:05 2010] [debug] mod_deflate.c(615): [client
192.168.100.237] Zlib: Compressed 486 to 328 : URL /
[Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(1579): [client
192.168.100.237] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(1023): [client
192.168.100.237] Using WEB/kwebapp.beeware@beeware.org as server
principal for password verification
[Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(691): [client
192.168.100.237] Trying to get TGT for user sric...@beeware.org
[Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(605): [client
192.168.100.237] Trying to verify authenticity of KDC using principal
WEB/kwebapp.beeware@beeware.org
[Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(1105): [client
192.168.100.237] kerb_authenticate_user_krb5pwd ret=0
user=sric...@beeware.org authtype=Basic
[Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(1579): [client
192.168.100.237] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(1023): [client
192.168.100.237] Using WEB/kwebapp.beeware@beeware.org as server
principal for password verification
[Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(691): [client
192.168.100.237] Trying to get TGT for user sric...@beeware.org
[Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(605): [client
192.168.100.237] Trying to verify authenticity of KDC using principal
WEB/kwebapp.beeware@beeware.org
[Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(1105): [client
192.168.100.237] kerb_authenticate_user_krb5pwd ret=0
user=sric...@beeware.org authtype=Basic
[Thu Jan 07 11:17:13 2010] [debug] mod_deflate.c(615): [client
192.168.100.237] Zlib: Compressed 102 to 91 : URL /index.html

==> On Apache side, everything seems to be ok


# ON SERVER SIDE (KDC)
--

> tail -f /var/log/krb5kdc.log

Jan 07 11:19:48 ubuntu krb5kdc[5648](info): AS_REQ (7 etypes {18 17 16
23 1 3 2}) 172.16.191.1: ISSUE: authtime 1262859588, etypes {rep=18
tkt=18 ses=18}, sric...@beeware.org for krbtgt/beeware@beeware.org
Jan 07 11:19:49 ubuntu krb5kdc[5648](info): TGS_REQ (7 etypes {18 17
16 23 1 3 2}) 172.16.191.1: ISSUE: authtime 1262859588, etypes {rep=18
tkt=18 ses=18}, sric...@beeware.org for WEB/
kwebapp.beeware@beeware.org
Jan 07 11:19:49 ubuntu krb5kdc[5648](info): AS_REQ (7 etypes {18 17 16
23 1 3 2}) 172.16.191.1: ISSUE: authtime 1262859589, etypes {rep=18
tkt=18 ses=18}, sric...@beeware.org for krbtgt/beeware@beeware.org
Jan 07 11:19:49 ubuntu krb5kdc[5648](info): TGS_REQ (7 etypes {18 17
16 23 1 3 2}) 172.16.191.1: ISSUE: authtime 1262859589, etypes {rep=18
tkt=18 ses=18}, sric...@beeware.org for WEB/
kwebapp.beeware@beeware.org


==> On KDC side, everything seems to be ok too.



# CONFIGURATION
---

# Kerberos Client (Firefox) :
- Firefox 3.5.6 (on Ubuntu 9.10) with NegotiateAuth
- lib GSS : libgssapi-krb5-2
- Apache/2.2.12 with "mod-auth_kerb"

# Kerberos Server (MIT implementation)
- Ubuntu Server 9.10
- krb5-* packages


# "mod-auth_kerb" config on virtual host :

> cat /var/www/kwebapp.beeware.org/.htaccess

 

Re: Pending "gss_init_sec_context() failed: Unspecified GSS failure...."

[Sylvain RICHET]

Any help would be deeply appreciated.
Thanks in advance

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Upcoming KfW 3.x ??

[Jeffrey Altman]

On 1/7/2010 11:48 AM, Jeff Blaine wrote:
> Jeffrey,
>
> I ended up solving my issues by forceably finding and removing
> all traces of anything related to KfW after "uninstall with
> no config saving" -- and reinstalling.
>
> [ I consider it a bug that 'uninstall' does not clean up the   ]
> [ registry when I've said not to keep my "configuration" info. ]
File a bug with MIT.
>
> I don't know what the problem was.  Oh well.
Depending on which keys you are talking about, the per user
configuration data is never
removed by an uninstaller since the uninstaller doesn't have access to
the per user data.
Not all users may be logged into the machine.
>
> I'd love to be a tester, but unfortunately I need to run the
> version our users have in order to troubleshoot things.
Without being a tester, you won't be able to ensure that the next
release works
the way you want it to in your environment.   Unless you are providing
funding or
some in-kind assistance in the development, why should I spend my time
answering
your e-mails when you have trouble?
>
> Aside, is there a reason for the 2-step credential obtaining
> process where the account is 'checked' then one is given a
> password text entry field?  It's clunky to interact with.
In NIM v1.x the account's existence is verified before prompting for a
password in
order to protect against users that typo the username or realm and
created an
identity in the database that in fact does not exist.

In NIM v2, identities are created by a wizard that walks the user
through the
configuration of all applicable credential providers.  After the
identity is created
the user simply selects one of the pre-configured ones instead of manually
typing the username and realm each time.   This change is both to
improve usability
but also to permit NIM v2 to be used with X.509 and Keystore identities in
addition to Kerberos v5.
>
> Another aside, what release will have krb4 cred obtaining
> disabled by default?

Any release you want.  As I have said before, you can use a transform to
configure
the MSI installer to disable Kerberos v4.   You can do this today.
>> What I would do is use "Network Monitor v3.2" from Microsoft Connect to
>> examine the network traffic and see what requests are failing to receive
>> responses.
>
> FWIW 3.3 is out
>
> Looks like a nice tool.  I may ditch put Ethereal in the attic.
They each have their own strengths and weaknesses.  Ethereal can be used
to decrypt encrypted traffic and
has AFS support.NetMon does a much better job of analyzing and
displaying conversations.




Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Upcoming KfW 3.x ??

[Jeff Blaine]

On 1/6/2010 7:33 PM, Jeffrey Altman wrote:
> On 1/6/2010 2:32 PM, Jeff Blaine wrote:
>> I seem to have all sorts of weird problems with KfW.
>>
>> For instance, I just clicked 'Cancel' in the 'Obtain
>> new credentials' dialog for a certain realm and the
>> dialog greyed out, won't go away, and won't close
>> via [X].
>>
>> Other times I get DNS failures from NIM when nslookup
>> in a cmd.exe window resolves the KDCs fine.
>>
>> Overall, I have zero problems with other network apps
>> on this box.
>
> You are welcome to try a beta of Network Identity Manager v2 if you
> would like.
> (Send private mail to be added to the testers list.)   However, if the
> problem is
> the resolution of DNS SRV records (which some DNS proxies do not respond to)
> then the problem will not be resolved by the update.

Jeffrey,

I ended up solving my issues by forceably finding and removing
all traces of anything related to KfW after "uninstall with
no config saving" -- and reinstalling.

[ I consider it a bug that 'uninstall' does not clean up the   ]
[ registry when I've said not to keep my "configuration" info. ]

I don't know what the problem was.  Oh well.

I'd love to be a tester, but unfortunately I need to run the
version our users have in order to troubleshoot things.

Aside, is there a reason for the 2-step credential obtaining
process where the account is 'checked' then one is given a
password text entry field?  It's clunky to interact with.

Another aside, what release will have krb4 cred obtaining
disabled by default?

> What I would do is use "Network Monitor v3.2" from Microsoft Connect to
> examine the network traffic and see what requests are failing to receive
> responses.

FWIW 3.3 is out

Looks like a nice tool.  I may ditch put Ethereal in the attic.

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos