krb5-1.12 is released

Tom Yu tlyu at MIT.EDU
Tue Dec 10 23:55:04 EST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.12.  Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.

RETRIEVING KERBEROS 5 RELEASE 1.12
==================================

You may retrieve the Kerberos 5 Release 1.12 source from the
following URL:

        http://web.mit.edu/kerberos/dist/

The homepage for the krb5-1.12 release is:

        http://web.mit.edu/kerberos/krb5-1.12/

Further information about Kerberos 5 may be found at the following
URL:

        http://web.mit.edu/kerberos/

and at the MIT Kerberos Consortium web site:

        http://www.kerberos.org/

DES transition
==============

The Data Encryption Standard (DES) is widely recognized as weak.  The
krb5-1.7 release contains measures to encourage sites to migrate away
- From using single-DES cryptosystems.  Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.

Major changes in 1.12 (2013-12-10)
==================================

Developer experience:

* Add a plugin interface to control krb5_aname_to_localname and
  krb5_kuserok behavior.

* Add a plugin interface to control hostname-to-realm mappings and the
  default realm.

* Add GSSAPI extensions for constructing MIC tokens using IOV lists.

Administrator experience:

* Principal entries may now refer to the names of policies which do
  not exist as policy objects in the database.  Policy objects may now
  be deleted whether or not principals reference their names.  A
  principal which references a nonexistent policy name will behave as
  if it does not reference a policy.

* Add support for having no long-term keys for a principal. This can
  be useful if the principal is only intended to be used with PKINIT
  or OTP preauthentication.

* Add collection support to the KEYRING credential cache type on
  Linux, and add support for persistent user keyrings and larger
  credentials on systems which support them.

* Add a FAST OTP preauthentication module for the KDC which uses
  RADIUS to validate OTP token values.

* Add an experimental pluggable interface for auditing KDC
  processing. This interface may change in a backwards-incompatible
  way in a future release.

Performance:

* The AES-based encryption types will use AES-NI instructions when
  possible for improved performance.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (SunOS)

iQEVAwUBUqfwLhUCTNN0nXiJAQJfvggAl8uyI+zn5embgfkIaXaknfnahhaUIm86
8wuOTNHMY6JUMbkN9ggAWy2DDfuTwhW68soXyl1OSUlV1dmV9UCPqLBdOAwQEXoI
gZUXCO3LfAeP7MLLFRg5ciHAspfwyuyrkeUDEEIQrNIWg+VGtwofhQtkwVpOirsO
yeTm8QfPwrdPfadZV+iVpiREaXtoQ0Tn1IDD5kTgSqawYVtUX8Lv78R+UGXH3z7h
ulwSssVjj22fgbdF4hiQc1IJuCCzwhHO+5hyM9D43xxgFBcHD+3UnVrKUASou7Kp
SNiQxOJNVrtIByd7EV14LPgjq2VWODo28biG7twVRzTHevIVAi0/Zg==
=7E0A
-----END PGP SIGNATURE-----



More information about the kerberos-announce mailing list