MIT Kerberos Documentation

MIT Kerberos features

Quick facts

License - MIT Kerberos License information

Supported platforms / OS distributions:
  • Windows (KfW 4.0): Windows 7, Vista, XP
  • Solaris: SPARC, x86_64/x86
  • GNU/Linux: Debian x86_64/x86, Ubuntu x86_64/x86, RedHat x86_64/x86
  • BSD: NetBSD x86_64/x86
Crypto backends:

Database backends: LDAP, DB2

krb4 support: Kerberos 5 release < 1.8

DES support: configurable (See Retiring DES)



Starting from release 1.7:

  • Follow client principal referrals in the client library when obtaining initial tickets.
  • KDC can issue realm referrals for service principals based on domain names.
  • Extensions supporting DCE RPC, including three-leg GSS context setup and unencapsulated GSS tokens inside SPNEGO.
  • Microsoft GSS_WrapEX, implemented using the gss_iov API, which is similar to the equivalent SSPI functionality. This is needed to support some instances of DCE RPC.
  • NTLM recognition support in GSS-API, to facilitate dropping in an NTLM implementation for improved compatibility with older releases of Microsoft Windows.
  • KDC support for principal aliases, if the back end supports them. Currently, only the LDAP back end supports aliases.
  • Support Microsoft set/change password (RFC 3244) protocol in kadmind.
  • Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which allows a GSS application to request credential delegation only if permitted by KDC policy.

Starting from release 1.8:

  • Microsoft Services for User (S4U) compatibility


  • Support for reading Heimdal database starting from release 1.8
  • Support for KCM credential cache starting from release 1.13

Feature list

For more information on the specific project see

Release 1.7
Release 1.8
Release 1.9
  • Advance warning on password expiry
  • Camellia encryption (CTS-CMAC mode) RFC 6803
  • KDC support for SecurID preauthentication
  • kadmin over IPv6
  • Trace logging Trace logging
  • GSSAPI/KRB5 multi-realm support
  • Plugin to test password quality Password quality interface (pwqual)
  • Plugin to synchronize password changes KADM5 hook interface (kadm5_hook)
  • Parallel KDC
  • GSS-API extentions for SASL GS2 bridge RFC 5801 RFC 5587
  • Purging old keys
  • Naming extensions for delegation chain
  • Password expiration API
  • Windows client support (build-only)
  • IPv6 support in iprop
Release 1.10
Release 1.11
  • Client support for FAST OTP RFC 6560
  • GSS-API extensions for credential locations
  • Responder mechanism
Release 1.12

Release 1.13

  • Add support for accessing KDCs via an HTTPS proxy server using the MS-KKDCP protocol.
  • Add support for hierarchical incremental propagation, where slaves can act as intermediates between an upstream master and other downstream slaves.
  • Add support for configuring GSS mechanisms using /etc/gss/mech.d/*.conf files in addition to /etc/gss/mech.
  • Add support to the LDAP KDB module for binding to the LDAP server using SASL.
  • The KDC listens for TCP connections by default.
  • Fix a minor key disclosure vulnerability where using the “keepold” option to the kadmin randkey operation could return the old keys. [CVE-2014-5351]
  • Add client support for the Kerberos Cache Manager protocol. If the host is running a Heimdal kcm daemon, caches served by the daemon can be accessed with the KCM: cache type.
  • When built on OS X 10.7 and higher, use “KCM:” as the default cachetype, unless overridden by command-line options or krb5-config values.
  • Add support for doing unlocked database dumps for the DB2 KDC back end, which would allow the KDC and kadmind to continue accessing the database during lengthy database dumps.

Pre-authentication mechanisms