Kerberos 5 Release 1.18.3
The MIT Kerberos Team announces the availability of the
krb5-1.18.3 release. The detached PGP
signature is available without going through the download
page, if you wish to verify the authenticity of a distribution
you have obtained elsewhere.
Please see the README file for a
more complete list of changes.
You may also see the current full
list of fixed bugs tracked in our RT bugtracking system.
DES no longer supported
Beginning with the krb5-1.18 release, single-DES encryption
types are no longer supported.
Major changes in 1.18.3 (2020-11-17)
- Fix a denial of service vulnerability when decoding Kerberos
- Fix a locking issue with the LMDB KDB module which could
cause KDC and kadmind processes to lose access to the
- Fix an assertion failure when libgssapi_krb5 is repeatedly
loaded and unloaded while libkrb5support remains loaded.
Major changes in 1.18.2 (2020-05-21)
- Fix a SPNEGO regression where an acceptor using the default
credential would improperly filter mechanisms, causing a
- Fix a bug where the KDC would fail to issue tickets if the
local krbtgt principal's first key has a single-DES enctype.
- Add stub functions to allow old versions of OpenSSL
libcrypto to link against libkrb5.
- Fix a NegoEx bug where the client name and delegated credential
might not be reported.
Major changes in 1.18.1 (2020-04-13)
- Fix a crash when qualifying short hostnames when the system
has no primary DNS domain.
- Fix a regression when an application imports "service@" as a
GSS host-based name for its acceptor credential handle.
- Fix KDC enforcement of auth indicators when they are
modified by the KDB module.
- Fix removal of require_auth string attributes when the LDAP
KDB module is used.
- Fix a compile error when building with musl libc on Linux.
- Fix a compile error when building with gcc 4.x.
- Change the KDC constrained delegation precedence order for
consistency with Windows KDCs.
Major changes in 1.18 (2020-02-12)
- Administrator experience
- Remove support for single-DES encryption types.
- Change the replay cache format to be more efficient and
robust. Replay cache filenames using the new format end
with ".rcache2" by default.
- setuid programs will automatically ignore environment
variables that normally affect krb5 API functions, even if
the caller does not use krb5_init_secure_context().
- Add an "enforce_ok_as_delegate" krb5.conf relation to
disable credential forwarding during GSSAPI authentication
unless the KDC sets the ok-as-delegate bit in the service
- Use the permitted_enctypes krb5.conf setting as the
default value for default_tkt_enctypes and
- Developer experience
- Implement krb5_cc_remove_cred() for all credential cache types.
- Add the krb5_pac_get_client_info() API to get the client
account name from a PAC.
- Protocol evolution
- Add KDC support for S4U2Self requests where the user is
identified by X.509 certificate. (Requires support for
certificate lookup from a third-party KDB module.)
- Remove support for an old ("draft 9") variant of PKINIT.
- Add support for Microsoft NegoEx. (Requires one or more
third-party GSS modules implementing NegoEx mechanisms.)
- User experience
- Add support for "dns_canonicalize_hostname=fallback",
causing host-based principal names to be tried first
without DNS canonicalization, and again with DNS
canonicalization if the un-canonicalized server is not
- Expand single-component hostnames in host-based
principal names when DNS canonicalization is not used,
adding the system's first DNS search path as a suffix.
Add a "qualify_shortname" krb5.conf relation to override
this suffix or disable expansion.
- Honor the transited-policy-checked ticket flag on
application servers, eliminating the requirement to
configure capaths on servers in some scenarios.
- Code quality
- The libkrb5 serialization code (used to export and
import krb5 GSS security contexts) has been simplified and
- The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and
KRB-CRED messages has been revised to conform to current
- The test suite has been modified to work with macOS
System Integrity Protection enabled.
- The test suite incorporates soft-pkcs11 so that PKINIT
PKCS11 support can always be tested.
You may retrieve the Kerberos 5 Release 1.18.3 source from
If you need to acquire the sources from some other distribution
site, you may verify them against the detached
PGP signature for krb5-1.18.3.
$Id: krb5-1.18.3.html,v 1.1 2020/11/17 22:26:26 ghudson Exp $
[ home ]
[ contact ]