Kerberos 5 Release 1.20

Kerberos 5 Release 1.20 is now available

The MIT Kerberos Team announces the availability of the krb5-1.20 release. The detached PGP signature is available without going through the download page, if you wish to verify the authenticity of a distribution you have obtained elsewhere.

Please see the README file for a more complete list of changes.

You may also see the current full list of fixed bugs tracked in our RT bugtracking system.

PAC transition

Beginning with release 1.20, the KDC will include minimal PACs in tickets instead of AD-SIGNEDPATH authdata. S4U requests (protocol transition and constrained delegation) must now contain valid PACs in the incoming tickets. If only some KDCs in a realm have been upgraded across version 1.20, the upgraded KDCs will reject S4U requests containing tickets from non-upgraded KDCs and vice versa.

Triple-DES transition

Beginning with the krb5-1.19 release, a warning will be issued if initial credentials are acquired using the des3-cbc-sha1 encryption type. In future releases, this encryption type will be disabled by default and eventually removed.

Beginning with the krb5-1.18 release, single-DES encryption types have been removed.

Major changes in 1.20 (2022-05-26)

Administrator experience
Developer experience
Protocol evolution
Code quality

Retrieving Kerberos 5 Release 1.20

You may retrieve the Kerberos 5 Release 1.20 source from here. If you need to acquire the sources from some other distribution site, you may verify them against the detached PGP signature for krb5-1.20.


$Id: krb5-1.20.html,v 1.2 2022/05/26 17:16:24 ghudson Exp $
MIT Kerberos [ home ] [ contact ]