Kerberos 5 Release 1.12

• Announcement
• README file
• Known Bugs
• Documentation
• Retrieving

Kerberos 5 Release 1.12 is now available

The MIT Kerberos Team announces the availability of the krb5-1.12 release. The detached PGP signature is available without going through the download page, if you wish to verify the authenticity of a distribution you have obtained elsewhere.

Please see the README file for a more complete list of changes.

You may also see the current full list of fixed bugs tracked in our RT bugtracking system.

DES transition

The Data Encryption Standard (DES) is widely recognized as weak. The krb5-1.7 release contains measures to encourage sites to migrate away from using single-DES cryptosystems. Among these is a configuration variable that enables "weak" enctypes, which now defaults to "false" beginning with krb5-1.8.

Major changes in 1.12 (2013-12-10)

Developer experience:

• Add a plugin interface to control krb5_aname_to_localname and krb5_kuserok behavior.
• Add a plugin interface to control hostname-to-realm mappings and the default realm.
• Add GSSAPI extensions for constructing MIC tokens using IOV lists.

Administrator experience:

• Principal entries may now refer to the names of policies which do not exist as policy objects in the database. Policy objects may now be deleted whether or not principals reference their names. A principal which references a nonexistent policy name will behave as if it does not reference a policy.
• Add support for having no long-term keys for a principal. This can be useful if the principal is only intended to be used with PKINIT or OTP preauthentication.
• Add collection support to the KEYRING credential cache type on Linux, and add support for persistent user keyrings and larger credentials on systems which support them.
• Add a FAST OTP preauthentication module for the KDC which uses RADIUS to validate OTP token values.
• Add an experimental pluggable interface for auditing KDC processing. This interface may change in a backwards-incompatible way in a future release.

Performance:

• The AES-based encryption types will use AES-NI instructions when possible for improved performance.

Retrieving Kerberos 5 Release 1.12

You may retrieve the Kerberos 5 Release 1.12 source from here. If you need to acquire the sources from some other distribution site, you may verify them against the detached PGP signature for krb5-1.12.