Kerberos 5 Release 1.9.1
The MIT Kerberos Team announces the availability of the
krb5-1.9.1 release. The detached PGP
signature is available without going through the download
page, if you wish to verify the authenticity of a distribution
you have obtained elsewhere.
Please see the README file for a
more complete list of changes.
You may also see the current full
of fixed bugs tracked in our RT bugtracking system.
The Data Encryption Standard (DES) is widely recognized as
weak. The krb5-1.7 release contains measures to encourage sites
to migrate away from using single-DES cryptosystems. Among
these is a configuration variable that enables "weak" enctypes,
which now defaults to "false" beginning with krb5-1.8.
Major changes in 1.9.1
This is primarily a bugfix release.
- Fix vulnerabilities:
- kpropd denial of service [MITKRB5-SA-2011-001 CVE-2010-4022]
- KDC denial of service attacks [MITKRB5-SA-2011-002
CVE-2011-0281 CVE-2011-0282 CVE-2011-0283]
- KDC double-free when PKINIT enabled [MITKRB5-SA-2011-003
- kadmind frees invalid pointer [MITKRB5-SA-2011-004 CVE-2011-0285]
- Don't reject AP-REQ messages if their PAC doesn't validate;
suppress the PAC instead.
- Correctly validate HMAC-MD5 checksums that use DES keys
Major changes in 1.9
- Code quality
- Fix MITKRB5-SA-2010-007 checksum vulnerabilities
(CVE-2010-1324 and others).
- Add a Python-based testing framework.
- Perform DAL cleanup.
- Developer experience
- Add NSS crypto back end.
- Improve PRNG modularity.
- Add a Fortuna-like PRNG back end.
- Account lockout performance improvements -- allow disabling of some
account lockout functionality to reduce the number of write
operations to the database during authentication
- Add support for multiple KDC worker processes.
- Administrator experience
- Add Trace logging support to ease the diagnosis of configuration
- Add support for purging old keys (e.g. from "cpw
- Add plugin interface for password sync -- based on
proposed patches by Russ Allbery that support his
- Add plugin interface for password quality checks --
enables pluggable password quality checks similar to Russ
Allbery's krb5-strength package.
- Add a configuration file validator script.
- Add KDC support for SecurID preauthentication -- this is
the old SAM-2 protocol, implemented to support existing
deployments, not the in-progress FAST-OTP work.
- Add "cheat" capability for kinit when running on a KDC host.
- Protocol evolution
- Add support for IAKERB -- a mechanism for tunneling
Kerberos KDC transactions over GSS-API, enabling clients
to authenticate to services even when the clients cannot
directly reach the KDC that serves the services.
- Add support for Camellia encryption (experimental; disabled by
- Add GSS-API support for implementors of the SASL GS2 bridge
Known bugs reported against krb5-1.9.1 are listed
Please note that the HTML versions of these documents are
converted from texinfo, and that the conversion is imperfect.
If you want PostScript or GNU info versions, please download
the documentation tarball.
You may retrieve the Kerberos 5 Release 1.9.1 source from
If you need to acquire the sources from some other distribution
site, you may verify them against the detached
PGP signature for krb5-1.9.1.
$Id: krb5-1.9.1.html,v 1.3 2011/08/03 20:10:46 tlyu Exp $
[ home ]
[ contact ]