Elektron 2.1.2376

[ALL] Update the Windows certificate installer for Windows 7
[ALL] Update the Mac OS X certificate installer for Snow Leopard
[ALL] Change UI for certificate installer export to export Mac and Windows separately
[ALL] Fixed a missing table error that could cause replication failures
[ALL] Fixed a bug that could lead to incorrect EAP message fragmentation with EAP-TLS, PEAP, TTLS, and EAP-FAST
[ALL] Upgrade OpenSSL FIPS to v1.2
[MAC] Always use short name for Directory Services group membership lookup, even if user logged in with a long name
[MAC] Build against the 10.5 SDK
[WIN] Fixed an issue parsing some UNC usernames with Windows authentication
[WIN] Remove use of subauthentication DLL
[WIN] No longer strip domain when performing Active Directory machine authentication
[WIN] Build with Visual Studio 2008
[WIN] Link installer executable statically

Elektron 2.0.2118

Today we posted Elektron 2.0.2118 for both Windows and Mac OS X. This is a bug fix release, adding the following fixes:

• Fixed a small memory leak when using ODBC for authentication
• Fixed a bug formatting Elektron account usernames in Elektron Settings
• Fixed a bug that prevented PEAP users from successfully authenticating against an upstream RADIUS server
• Fixed a bug that prevented MAC address authentication with certain Netgear devices
• Changed the message logged when an invalid Message-Authenticator is received
• Fixed a bug that resulted in Directory Services authentication failing for users who are members of many groups
• Fixed a bug that resulted in a spurious EAP-FAST PAC logging message
• Fixed a bug that prevented EAP-FAST from successfully authenticating MS-CHAPv2 users over non-anonymous connections
• Fixed a bug that could cause a crash on Windows when running with Delay Access-Reject (an option that is disabled by default)
• Fixed a bug in the Elektron Settings application that would cause username triggers to appear incorrect after reordering policies

If you have enabled the "Delay Sending Access-Reject Messages" option (see Elektron Settings->Authentication Settings) on a Windows server, this is a necessary upgrade. If you are using EAP-FAST or using Elektron as a front end to another RADIUS server, this is a recommended upgrade. As always, please let us know if you have any trouble or questions.

Creating a Rogue CA Certificate

At the Chaos Communication Congress today, researchers presented a paper describing their technique for forging certificates to appear as if they were signed by a trusted certificate authority. How they did it, in a nutshell:

1. Obtain a legitimate certificate from a certificate authority that uses MD5 in its signatures.
2. Generate a fake certificate for the rogue web site, adding an extension that contains a precisely calculated string of bytes so that the MD5 digest of the fake certificate matches the MD5 digest of the legitimate certificate from step 1 (this step took the researchers about 18 hours using an array of 200 Playstation 3 systems, whose Cell processor is especially adept at performing the kinds of computations necessary).
3. Copy the signature from the legitimate certificate to the fake certificate.

The upshot is that any certificate signed by an authority using MD5 is suspect. RapidSSL accounted for nearly all of the certificates that the researchers identified in their sampling, but Thawte and several others were also singled out. Beware of any web site that uses one of these certificates; even if your browser says that the certificate is valid, it may not be. (n.b., not all Thawte certificates are vulnerable; our own web site uses a Thawte certificate that was issued with a SHA-1 signature).

This presentation comes on the heels of last week's revelation that a certificate vendor has been issuing certificates with no verification. In that case, a user was able to get a certificate issued in the name of "www.mozilla.org" despite not having any affiliation with Mozilla.

And to bring this all back around to Elektron, I'll note that Elektron has always signed its certificates using SHA-1.

Major Privilege Escalation Bug in Mac OS X 10.4 and 10.5

In case you haven't seen it, any user with an account (admin or not) on Tiger or Leopard can run any command as root. Contrary to some published reports, physical access to the machine is not required; commands can be executed over an SSH or ARD/VNC connection as well.

Overheard at the WWDC Keynote

"That's not a feature, that's a bug!"

— An attendee's reaction to Steve Jobs' announcement that Microsoft Exchange support is the one new feature in Snow Leopard

iPhone 2.0 to Include 802.1X

One of the nicer (for us, at least) announcements to come out of the iPhone presentation this morning is that the next generation of iPhone software will include an 802.1X supplicant, so it will work with Elektron. Apple is currently taking applications for their beta program. Every singly person here has an iPhone, so we had to create a second Wi-Fi network with WPA Personal security enabled to work around the lack of a supplicant.

Time Capsule

It's an AirPort Extreme with a 500GB or 1TB drive specifically targeting Time Machine backups. At $499, it's very aggressively priced; comparable to low end NAS units that don't include access point functions. I wonder what "server grade hard drive" means — I suspect that just means it's not a 2.5" ATA drive (which has been the knock on using the Mac Mini as a server). Here at the Labs, Mac users get an external Firewire drive and a copy of SuperDuper! for backups. I don't think we'll be replacing that low-tech-but-bulletproof setup anytime soon, but Time Capsule looks really nice for a home setup, particularly in a household with multiple Mac users.

New Xserves

Looking good. Available with four or eight cores, and memory is now expandable to 32 GB. The base models are price competitive with similarly equipped Sun and Dell machines. Plus, they're available with zippy SAS drives. For us IT geeks, this was a bigger announcement than the speculative ultraportable at MacWorld next week.

Mac OS X 10.5.1

Among the fixes is "Resolves an issue with saved passwords for wireless networks." That one has been bugging me since installing Leopard. Available now via Software Update.

The release notes also include this chestnut:

In Security preferences' Firewall tab, the "Block All" option is now called "Allow Only essential services"

So "block all" apparently didn't mean "block all."

Elektron and Leopard

The lab rats have been busy this weekend making sure that Elektron is fully compatible with the final release of Leopard. It only took a couple of minor tweaks, and a new release is now available! You'll only need this release if you're planning on running Elektron on Leopard; if you are keeping your server on Panther or Tiger (or Windows, for that matter) your existing Elektron installation will continue to authenticate Leopard users just fine.

The biggest Leopard Wi-Fi news is the disappearance of Internet Connect. All Wi-Fi configuration now occurs in the Network preference pane inside System Preferences:

One handy new feature is the ability to store 802.1X configurations on a per-user, per-system, or Login Window basis. The per-user configuration is basically how Tiger works; per-system allows you to create a single configuration for all users on the system (that is, the 802.1X login identifies the machine rather than an individual user), and the Login Window configuration allows the user to specify a username and password at login time to connect to the network before logging in. This final configuration is important for users without local accounts.

All in all, a very nice release.