Kerberos 5 Release 1.7
The MIT Kerberos Team announces the availability of the
krb5-1.7 release. The detached PGP
signature is available without going through the download
page, if you wish to verify the authenticity of a distribution
you have obtained elsewhere.
Please see the README file for a
more complete list of changes.
You may also see the current full
list
of fixed bugs tracked in our RT bugtracking system.
The Data Encryption Standard (DES) is widely recognized as
weak. The krb5-1.7 release will contain measures to encourage
sites to migrate away from using single-DES cryptosystems.
Among these is a configuration variable that enables "weak"
enctypes, but will default to "false" in the future. Additional
migration aids are planned for future releases.
The krb5-1.7 release contains a large number of changes, featuring
improvements in the following broad areas:
- Compatibility with Microsoft Windows
- Administrator experience
- User experience
- Code quality
- Protocol evolution
Compatibility with Microsoft Windows:
- Follow client principal referrals in the client library when
obtaining initial tickets.
- KDC can issue realm referrals for service principals based on domain
names.
- Extensions supporting DCE RPC, including three-leg GSS context setup
and unencapsulated GSS tokens inside SPNEGO.
- Microsoft GSS_WrapEX, implemented using the gss_iov API, which is
similar to the equivalent SSPI functionality. This is needed to
support some instances of DCE RPC.
- NTLM recognition support in GSS-API, to facilitate dropping in an
NTLM implementation for improved compatibility with older releases
of Microsoft Windows.
- KDC support for principal aliases, if the back end supports them.
Currently, only the LDAP back end supports aliases.
- Support Microsoft set/change password (RFC 3244) protocol in
kadmind.
- Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which
allows a GSS application to request credential delegation only if
permitted by KDC policy.
Administrator experience:
- Install header files for the administration API, allowing
third-party software to manipulate the KDC database.
- Incremental propagation support for the KDC database.
- Master key rollover support, making it easier to change master key
passwords or encryption types.
- New libdefaults configuration variable "allow_weak_crypto". NOTE:
Currently defaults to "true", but may default to "false" in a future
release. Setting this variable to "false" will have the effect of
removing weak enctypes (currently defined to be all single-DES
enctypes) from permitted_enctypes, default_tkt_enctypes, and
default_tgs_enctypes.
User experience:
- Provide enhanced GSS-API error message including supplementary
details about error conditions.
- In the replay cache, use a hash over the complete ciphertext to
avoid false-positive replay indications.
Code quality:
- Replace many uses of "unsafe" string functions. While most of these
instances were innocuous, they impeded efficient automatic and
manual static code analysis.
- Fix many instances of resource leaks and similar bugs identified by
static analysis tools.
- Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 --
various vulnerabilities in SPNEGO and ASN.1 code.
Protocol evolution:
- Remove support for version 4 of the Kerberos protocol (krb4).
- Encryption algorithm negotiation (RFC 4537), allowing clients and
application services to negotiate stronger encryption than their KDC
supports.
- Flexible Authentication Secure Tunneling (FAST), a preauthentiation
framework that can protect the AS exchange from dictionary attacks
on weak user passwords.
Known Bugs
Known bugs reported against krb5-1.7 are listed
here.
Please note that the HTML versions of these documents are
converted from texinfo, and that the conversion is imperfect.
If you want PostScript or GNU info versions, please download
the documentation tarball.
You may retrieve the Kerberos 5 Release 1.7 source from
here.
If you need to acquire the sources from some other distribution
site, you may verify them against the detached
PGP signature for krb5-1.7.
$Id: krb5-1.7.html,v 1.6 2009/06/02 15:05:14 tlyu Exp $
MIT Kerberos
[ home ]
[ contact ]