MIT Kerberos features¶
Quick facts¶
License - MIT Kerberos License information
- Releases:
- Latest stable: http://web.mit.edu/kerberos/krb5-1.13/
- Supported: http://web.mit.edu/kerberos/krb5-1.12/
- Supported: http://web.mit.edu/kerberos/krb5-1.11/
- Release cycle: 9 – 12 months
- Supported platforms / OS distributions:
- Windows (KfW 4.0): Windows 7, Vista, XP
- Solaris: SPARC, x86_64/x86
- GNU/Linux: Debian x86_64/x86, Ubuntu x86_64/x86, RedHat x86_64/x86
- BSD: NetBSD x86_64/x86
- Crypto backends:
- builtin - MIT Kerberos native crypto library
- OpenSSL (1.0+) - http://www.openssl.org
- NSS (3.12.9+) - http://www.mozilla.org/projects/security/pki/nss
Database backends: LDAP, DB2
krb4 support: Kerberos 5 release < 1.8
DES support: configurable (See Retiring DES)
Interoperability¶
Microsoft
Starting from release 1.7:
- Follow client principal referrals in the client library when obtaining initial tickets.
- KDC can issue realm referrals for service principals based on domain names.
- Extensions supporting DCE RPC, including three-leg GSS context setup and unencapsulated GSS tokens inside SPNEGO.
- Microsoft GSS_WrapEX, implemented using the gss_iov API, which is similar to the equivalent SSPI functionality. This is needed to support some instances of DCE RPC.
- NTLM recognition support in GSS-API, to facilitate dropping in an NTLM implementation for improved compatibility with older releases of Microsoft Windows.
- KDC support for principal aliases, if the back end supports them. Currently, only the LDAP back end supports aliases.
- Support Microsoft set/change password (RFC 3244) protocol in kadmind.
- Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which allows a GSS application to request credential delegation only if permitted by KDC policy.
Starting from release 1.8:
- Microsoft Services for User (S4U) compatibility
Heimdal
- Support for reading Heimdal database starting from release 1.8
- Support for KCM credential cache starting from release 1.13
Feature list¶
For more information on the specific project see http://k5wiki.kerberos.org/wiki/Projects
- Release 1.7
- Credentials delegation RFC 5896
- Cross-realm authentication and referrals RFC 6806
- Master key migration
- PKINIT RFC 4556 PKINIT configuration
- Release 1.8
- Anonymous PKINIT RFC 6112 Anonymous PKINIT
- Constrained delegation
- IAKERB http://tools.ietf.org/html/draft-ietf-krb-wg-iakerb-02
- Heimdal bridge plugin for KDC backend
- GSS-API S4U extensions http://msdn.microsoft.com/en-us/library/cc246071
- GSS-API naming extensions RFC 6680
- GSS-API extensions for storing delegated credentials RFC 5588
- Release 1.9
- Advance warning on password expiry
- Camellia encryption (CTS-CMAC mode) RFC 6803
- KDC support for SecurID preauthentication
- kadmin over IPv6
- Trace logging Trace logging
- GSSAPI/KRB5 multi-realm support
- Plugin to test password quality Password quality interface (pwqual)
- Plugin to synchronize password changes KADM5 hook interface (kadm5_hook)
- Parallel KDC
- GSS-API extentions for SASL GS2 bridge RFC 5801 RFC 5587
- Purging old keys
- Naming extensions for delegation chain
- Password expiration API
- Windows client support (build-only)
- IPv6 support in iprop
- Release 1.10
- Plugin interface for configuration Configuration interface (profile)
- Credentials for multiple identities Credential cache selection interface (ccselect)
- Release 1.11
- Client support for FAST OTP RFC 6560
- GSS-API extensions for credential locations
- Responder mechanism
- Release 1.12
- Plugin to control krb5_aname_to_localname and krb5_kuserok behavior Local authorization interface (localauth)
- Plugin to control hostname-to-realm mappings and the default realm Host-to-realm interface (hostrealm)
- GSSAPI extensions for constructing MIC tokens using IOV lists IOV MIC tokens
- Principal may refer to nonexistent policies Policy Refcount project
- Support for having no long-term keys for a principal Principals Without Keys project
- Collection support to the KEYRING credential cache type on Linux Credential cache
- FAST OTP preauthentication module for the KDC which uses RADIUS to validate OTP token values OTP Preauthentication
- Experimental Audit plugin for KDC processing Audit project
Release 1.13
- Add support for accessing KDCs via an HTTPS proxy server using the MS-KKDCP protocol.
- Add support for hierarchical incremental propagation, where slaves can act as intermediates between an upstream master and other downstream slaves.
- Add support for configuring GSS mechanisms using /etc/gss/mech.d/*.conf files in addition to /etc/gss/mech.
- Add support to the LDAP KDB module for binding to the LDAP server using SASL.
- The KDC listens for TCP connections by default.
- Fix a minor key disclosure vulnerability where using the “keepold” option to the kadmin randkey operation could return the old keys. [CVE-2014-5351]
- Add client support for the Kerberos Cache Manager protocol. If the host is running a Heimdal kcm daemon, caches served by the daemon can be accessed with the KCM: cache type.
- When built on OS X 10.7 and higher, use “KCM:” as the default cachetype, unless overridden by command-line options or krb5-config values.
- Add support for doing unlocked database dumps for the DB2 KDC back end, which would allow the KDC and kadmind to continue accessing the database during lengthy database dumps.
Pre-authentication mechanisms
- PW-SALT RFC 4120
- ENC-TIMESTAMP RFC 4120
- SAM-2
- FAST negotiation framework (release 1.8) RFC 6113
- PKINIT with FAST on client (release 1.10) RFC 6113
- PKINIT RFC 4556
- FX-COOKIE RFC 6113
- S4U-X509-USER (release 1.8) http://msdn.microsoft.com/en-us/library/cc246091
- OTP (release 1.12) OTP Preauthentication
PRNG
- modularity (release 1.9)
- Yarrow PRNG (release < 1.10)
- Fortuna PRNG (release 1.9) http://www.schneier.com/book-practical.html
- OS PRNG (release 1.10) OS’s native PRNG