IMPORTANT!

This distribution includes a patch (already applied), that updates
Kerberos' key generation. The gist of the patch is to replace calls
to des_random_key() with calls to des_new_random_key().

The primary difference is that des_random_key() uses a seeding
technique which is predictable and therefore vulnerable.
des_new_random_key() uses a feedback mechanism based on the Data
Encryption Standard (DES) and is seeded with a secret (and therefore
unknown to an attacker) value. This value is the database master
key, which is a convenient secret value.

This patch uses the new_rnd_key.c key module (which contains the
definition and code for des_new_random_key()). It has been part of
the standard Version 4 distribution since 1992 (and was recreated
for FreeBSD in 1995). This is used in the MIT admin server (the
primary error at MIT was not upgrading all of Kerberos to use this
newer generator. This patch finishes the job).

In addition to the patch for the Kerberos distribution this
distribution also contains a program for changing critical system keys
(namely the "krbtgt" and "changepw.kerberos" keys). When you
originally built your Kerberos database these keys were chosen at
random, using the vulnerable version of the kerberos random number
generator. Therefore it is possible for an attacker to mount an attack
to guess these values. If an attacker can determine the key for the
"krbtgt" ticket, they can construct tickets claiming to be any
kerberos principal. Similarly if an attacker can obtain the
"changepw.kerberos" key, they can change anyone's password.

The new "fix_kdb_keys(8)" program, which you run on the KDC
server, will change these critical keys to new values using the
newer random number generator. IMPORTANT: When you run fix_kdb_keys,
all outstanding ticket granting tickets will immediately become
invalid. This will be disruptive to your user community. We recommend
that you either do this late at night or early in the morning before
most users have logged in. Alternatively pre-announce a definitive
time when you will run the program and inform your users that they
will have to get new tickets at that time (using either "kinit" or
simply by logging out and then in again).

NOTE: The only client program modified is "ksrvutil" which is used
to generate new server keys. All other client/server programs are
unaffected. End users do *not* need to obtain new versions of
programs that use Kerberos. This is because most random number
generation in the Kerberos system is done on the KDC system.

After getting these sources, type "make world" at the toplevel of
your source tree. This will, among other things, build the fix_kdb_keys
program. This is not necessary if you have already got prebuilt
binaries with this distribution.