Kerberos 5 Release 1.16-beta1
The krb5-1.16 release is in beta test. This is a
development release, and is NOT intended for end
users. It is strongly recommended that you not deploy it
in production environments. Please send comments to the
krbdev list. You may download the krb5-1.16-beta1
snapshot from here.
For a complete list of changes, please see this
list in our RT bugtracking system.
The Data Encryption Standard (DES) is widely recognized as
weak. The krb5-1.7 release contains measures to encourage sites
to migrate away from using single-DES cryptosystems. Among
these is a configuration variable that enables "weak" enctypes,
which now defaults to "false" beginning with krb5-1.8.
Major changes in 1.16
- Administrator experience
- The KDC can match PKINIT client certificates against the
"pkinit_cert_match" string attribute on the client
principal entry, using the same syntax as the existing
"pkinit_cert_match" profile option.
- The ktutil addent command supports the "-k 0" option to
ignore the key version, and the "-s" option to use a
non-default salt string.
- kpropd supports a --pid-file option to write a pid file
at startup, when it is run in standalone mode.
- The "encrypted_challenge_indicator" realm option can be
used to attach an authentication indicator to tickets
obtained using FAST encrypted challenge
- Localization support can be disabled at build time with
the --disable-nls configure option.
- Developer experience
- The kdcpolicy pluggable interface allows modules control
whether tickets are issued by the KDC.
- The kadm5_auth pluggable interface allows modules to
control whether kadmind grants access to a kadmin request.
- The certauth pluggable interface allows modules to
control which PKINIT client certificates can authenticate
to which client principals.
- KDB modules can use the client and KDC interface IP
addresses to determine whether to allow an AS request.
- GSS applications can query the bit strength of a krb5
GSS context using the GSS_C_SEC_CONTEXT_SASL_SSF OID with
- GSS applications can query the impersonator name of a
krb5 GSS credential using the
GSS_KRB5_GET_CRED_IMPERSONATOR OID with
- kdcpreauth modules can query the KDC for the
canonicalized requested client principal name, or match a
principal name against the requested client principal name
- Protocol evolution
- The client library will continue to try
pre-authentication mechanisms after most failure
- The KDC will issue trivially renewable tickets (where
the renewable lifetime is equal to or less than the ticket
lifetime) if requested by the client, to be friendlier to
- The client library will use a random nonce for TGS
requests instead of the current system time.
- For the RC4 string-to-key or PAC operations, UTF-16 is
supported (previously only UCS-2 was supported).
- When matching PKINIT client certificates, UPN SANs will
be matched correctly as UPNs, with canonicalization.
- User experience
- Dates after the year 2038 are accepted (provided that
the platform time facilities support them), through the
- Automatic credential cache selection based on the client
realm will take into account the fallback realm and the
- Referral and alternate cross-realm TGTs will not be
cached, avoiding some scenarios where they can be added to
the credential cache multiple times.
- A German translation has been added.
- Code quality
- The build is warning-clean under clang with the
configured warning options.
- The automated test suite runs cleanly under
$Id: krb5-1.16.html,v 1.1 2017/10/05 17:40:54 ghudson Exp $
[ home ]
[ contact ]