MIT Kerberos Documentation

MIT Kerberos features

http://web.mit.edu/kerberos

Quick facts

License - MIT Kerberos License information

Releases:
Supported platforms / OS distributions:
  • Windows (KfW 4.0): Windows 7, Vista, XP
  • Solaris: SPARC, x86_64/x86
  • GNU/Linux: Debian x86_64/x86, Ubuntu x86_64/x86, RedHat x86_64/x86
  • BSD: NetBSD x86_64/x86
Crypto backends:

Database backends: LDAP, DB2

krb4 support: Kerberos 5 release < 1.8

DES support: configurable (See Retiring DES)

Interoperability

Microsoft

Starting from release 1.7:

  • Follow client principal referrals in the client library when obtaining initial tickets.
  • KDC can issue realm referrals for service principals based on domain names.
  • Extensions supporting DCE RPC, including three-leg GSS context setup and unencapsulated GSS tokens inside SPNEGO.
  • Microsoft GSS_WrapEX, implemented using the gss_iov API, which is similar to the equivalent SSPI functionality. This is needed to support some instances of DCE RPC.
  • NTLM recognition support in GSS-API, to facilitate dropping in an NTLM implementation for improved compatibility with older releases of Microsoft Windows.
  • KDC support for principal aliases, if the back end supports them. Currently, only the LDAP back end supports aliases.
  • Support Microsoft set/change password (RFC 3244) protocol in kadmind.
  • Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which allows a GSS application to request credential delegation only if permitted by KDC policy.

Starting from release 1.8:

  • Microsoft Services for User (S4U) compatibility

Heimdal

  • Support for reading Heimdal database starting from release 1.8

Feature list

For more information on the specific project see http://k5wiki.kerberos.org/wiki/Projects

Release 1.7
Release 1.8
Release 1.9
  • Advance warning on password expiry
  • Camellia encryption (CTS-CMAC mode) RFC 6803
  • KDC support for SecurID preauthentication
  • kadmin over IPv6
  • Trace logging Trace logging
  • GSSAPI/KRB5 multi-realm support
  • Plugin to test password quality Password quality interface (pwqual)
  • Plugin to synchronize password changes KADM5 hook interface (kadm5_hook)
  • Parallel KDC
  • GSS-API extentions for SASL GS2 bridge RFC 5801 RFC 5587
  • Purging old keys
  • Naming extensions for delegation chain
  • Password expiration API
  • Windows client support (build-only)
  • IPv6 support in iprop
Release 1.10
Release 1.11
  • Client support for FAST OTP RFC 6560
  • GSS-API extensions for credential locations
  • Responder mechanism
Release 1.12

Pre-authentication mechanisms

PRNG