[Mitkc-announce] MIT Kerberos 5 Release 1.7 is now available

Stephen C. Buckley sbuckley at MIT.EDU
Tue Jun 2 13:21:12 EDT 2009 

The MIT Kerberos Consortium Team announces the availability of the  
krb5-1.7 release.

The krb5-1.7 release contains a large number of changes, featuring  
improvements in the following broad areas:

     * Compatibility with Microsoft Windows
     * Administrator experience
     * User experience
     * Code quality
     * Protocol evolution

Compatibility with Microsoft Windows:

     * Follow client principal referrals in the client library when  
obtaining initial tickets.
     * KDC can issue realm referrals for service principals based on  
domain names.
     * Extensions supporting DCE RPC, including three-leg GSS context  
setup and unencapsulated GSS tokens inside SPNEGO.
     * Microsoft GSS_WrapEX, implemented using the gss_iov API, which  
is similar to the equivalent SSPI functionality. This is needed to  
support some instances of DCE RPC.
     * NTLM recognition support in GSS-API, to facilitate dropping in  
an NTLM implementation for improved compatibility with older releases  
of Microsoft Windows.
     * KDC support for principal aliases, if the back end supports  
them. Currently, only the LDAP back end supports aliases.
     * Support Microsoft set/change password (RFC 3244) protocol in  
kadmind.
     * Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG,  
which allows a GSS application to request credential delegation only  
if permitted by KDC policy.

Administrator experience:

     * Install header files for the administration API, allowing  
third-party software to manipulate the KDC database.
     * Incremental propagation support for the KDC database.
     * Master key rollover support, making it easier to change master  
key passwords or encryption types.
     * New libdefaults configuration variable "allow_weak_crypto".  
NOTE: Currently defaults to "true", but may default to "false" in a  
future release. Setting this variable to "false" will have the effect  
of removing weak enctypes (currently defined to be all single-DES  
enctypes) from permitted_enctypes, default_tkt_enctypes, and  
default_tgs_enctypes.

User experience:

     * Provide enhanced GSS-API error message including supplementary  
details about error conditions.
     * In the replay cache, use a hash over the complete ciphertext  
to avoid false-positive replay indications.

Code quality:

     * Replace many uses of "unsafe" string functions. While most of  
these instances were innocuous, they impeded efficient automatic and  
manual static code analysis.
     * Fix many instances of resource leaks and similar bugs  
identified by static analysis tools.
     * Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847  
-- various vulnerabilities in SPNEGO and ASN.1 code.

Protocol evolution:

     * Remove support for version 4 of the Kerberos protocol (krb4).
     * Encryption algorithm negotiation (RFC 4537), allowing clients  
and application services to negotiate stronger encryption than their  
KDC supports.
     * Flexible Authentication Secure Tunneling (FAST), a  
preauthentiation framework that can protect the AS exchange from  
dictionary attacks on weak user passwords.

More information is available on on the Kerberos Release Page at MIT:  
http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7.html

Kind regards,

s


_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/

Stephen C. Buckley
Executive Director
MIT Kerberos Consortium
Massachusetts Institute of Technology
web: http://www.kerberos.org
office: + 1 617-324-9167
mobile: + 1 617-645-6278



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitkc-announce/attachments/20090602/cf73acc8/attachment.htm

More information about the MITKC-Announce mailing list