Kerberos 5 Release 1.17
The MIT Kerberos Team announces the availability of the
krb5-1.17 release. The detached PGP
signature is available without going through the download
page, if you wish to verify the authenticity of a distribution
you have obtained elsewhere.
Please see the README file for a
more complete list of changes.
You may also see the current full
of fixed bugs tracked in our RT bugtracking system.
The Data Encryption Standard (DES) is widely recognized as
weak. The krb5-1.7 release contains measures to encourage sites
to migrate away from using single-DES cryptosystems. Among
these is a configuration variable that enables "weak" enctypes,
which now defaults to "false" beginning with krb5-1.8.
Major changes in 1.17 (2019-01-08)
- Administrator experience
- A new Kerberos database module using the Lightning
Memory-Mapped Database library (LMDB) has been added. The
LMDB KDB module should be more performant and more robust
than the DB2 module, and may become the default module for
new databases in a future release.
- "kdb5_util dump" will no longer dump policy entries when
specific principal names are requested.
- kpropd supports a --pid-file option to write a pid file
at startup, when it is run in standalone mode.
- Developer experience
- The new krb5_get_etype_info() API can be used to
retrieve enctype, salt, and string-to-key parameters from
the KDC for a client principal.
- The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows
enterprise principal names to be used with GSS-API
- KDC and kadmind modules which call com_err() will now
write to the log file in a format more consistent with
other log messages.
- Programs which use large numbers of memory credential
caches should perform better.
- Protocol evolution
- The SPAKE pre-authentication mechanism is now supported.
This mechanism protects against password dictionary
attacks without requiring any additional infrastructure
such as certificates. SPAKE is enabled by default on
clients, but must be manually enabled on the KDC for this
- PKINIT freshness tokens are now supported. Freshness
tokens can protect against scenarios where an attacker
uses temporary access to a smart card to generate
authentication requests for the future.
- Password change operations now prefer TCP over UDP, to
avoid spurious error messages about replays when a
response packet is dropped.
- The KDC now supports cross-realm S4U2Self requests when
used with a third-party KDB module such as Samba's. The
client code for cross-realm S4U2Self requests is also now
- User experience
- The new ktutil addent -f flag can be used to fetch salt
information from the KDC for password-based keys.
- The new kdestroy -p option can be used to destroy a
credential cache within a collection by client principal
- The Kerberos man page has been restored, and documents
the environment variables that affect programs using the
- Code quality
- Python test scripts now use Python 3.
- Python test scripts now display markers in verbose
output, making it easier to find where a failure occurred
within the scripts.
- The Windows build system has been simplified and updated
to work with more recent versions of Visual Studio. A
large volume of unused Windows-specific code has been
removed. Visual Studio 2013 or later is now required.
You may retrieve the Kerberos 5 Release 1.17 source from
If you need to acquire the sources from some other distribution
site, you may verify them against the detached
PGP signature for krb5-1.17.
$Id: krb5-1.17.html,v 1.6 2019/07/15 02:12:22 ghudson Exp $
[ home ]
[ contact ]