Kerberos 5 Release 1.16.2

• Announcement
• README file
• Known Bugs
• Documentation
• Retrieving

Kerberos 5 Release 1.16.2 is now available

The MIT Kerberos Team announces the availability of the krb5-1.16.2 release. The detached PGP signature is available without going through the download page, if you wish to verify the authenticity of a distribution you have obtained elsewhere.

Please see the README file for a more complete list of changes.

You may also see the current full list of fixed bugs tracked in our RT bugtracking system.

DES transition

The Data Encryption Standard (DES) is widely recognized as weak. The krb5-1.7 release contains measures to encourage sites to migrate away from using single-DES cryptosystems. Among these is a configuration variable that enables "weak" enctypes, which now defaults to "false" beginning with krb5-1.8.

Major changes in 1.16.2 (2018-11-01)

This is a bug fix release.

• Fix bugs with concurrent use of MEMORY ccache handles.
• Fix a KDC crash when falling back between multiple OTP tokens configured for a principal entry.
• Fix memory bugs when gss_add_cred() is used to create a new credential, and fix a bug where it ignores the desired_name.
• Fix the behavior of gss_inquire_cred_by_mech() when the credential does not contain an element of the requested mechanism.
• Make cross-realm S4U2Self requests work on the client when no default_realm is configured.
• Add a kerberos(7) man page containing documentation of the environment variables that affect Kerberos programs.

Major changes in 1.16.1 (2018-05-03)

This is a bug fix release.

• Fix flaws in LDAP DN checking, including a null dereference KDC crash which could be triggered by kadmin clients with administrative privileges [CVE-2018-5729, CVE-2018-5730].
• Fix a KDC PKINIT memory leak.
• Fix a small KDC memory leak on transited or authdata errors when processing TGS requests.
• Fix a regression in pkinit_cert_match matching of client certificates containing Microsoft UPN SANs.
• Fix a null dereference when the KDC sends a large TGS reply.
• Fix "kdestroy -A" with the KCM credential cache type.
• Allow validation of Microsoft PACs containing enterprise names.
• Fix the handling of capaths "." values.
• Fix handling of repeated subsection specifications in profile files (such as when multiple included files specify relations in the same subsection).

Major changes in 1.16 (2017-12-05)

Administrator experience

• The KDC can match PKINIT client certificates against the "pkinit_cert_match" string attribute on the client principal entry, using the same syntax as the existing "pkinit_cert_match" profile option.
• The ktutil addent command supports the "-k 0" option to ignore the key version, and the "-s" option to use a non-default salt string.
• kpropd supports a --pid-file option to write a pid file at startup, when it is run in standalone mode.
• The "encrypted_challenge_indicator" realm option can be used to attach an authentication indicator to tickets obtained using FAST encrypted challenge pre-authentication.
• Localization support can be disabled at build time with the --disable-nls configure option.

Developer experience

• The kdcpolicy pluggable interface allows modules control whether tickets are issued by the KDC.
• The kadm5_auth pluggable interface allows modules to control whether kadmind grants access to a kadmin request.
• The certauth pluggable interface allows modules to control which PKINIT client certificates can authenticate to which client principals.
• KDB modules can use the client and KDC interface IP addresses to determine whether to allow an AS request.
• GSS applications can query the bit strength of a krb5 GSS context using the GSS_C_SEC_CONTEXT_SASL_SSF OID with gss_inquire_sec_context_by_oid().
• GSS applications can query the impersonator name of a krb5 GSS credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with gss_inquire_cred_by_oid().
• kdcpreauth modules can query the KDC for the canonicalized requested client principal name, or match a principal name against the requested client principal name with canonicalization.

Protocol evolution

• The client library will continue to try pre-authentication mechanisms after most failure conditions.
• The KDC will issue trivially renewable tickets (where the renewable lifetime is equal to or less than the ticket lifetime) if requested by the client, to be friendlier to scripts.
• The client library will use a random nonce for TGS requests instead of the current system time.
• For the RC4 string-to-key or PAC operations, UTF-16 is supported (previously only UCS-2 was supported).
• When matching PKINIT client certificates, UPN SANs will be matched correctly as UPNs, with canonicalization.

User experience

• Dates after the year 2038 are accepted (provided that the platform time facilities support them), through the year 2106.
• Automatic credential cache selection based on the client realm will take into account the fallback realm and the service hostname.
• Referral and alternate cross-realm TGTs will not be cached, avoiding some scenarios where they can be added to the credential cache multiple times.
• A German translation has been added.

Code quality

• The build is warning-clean under clang with the configured warning options.
• The automated test suite runs cleanly under AddressSanitizer.

Retrieving Kerberos 5 Release 1.16.2

You may retrieve the Kerberos 5 Release 1.16.2 source from here. If you need to acquire the sources from some other distribution site, you may verify them against the detached PGP signature for krb5-1.16.