krb5-1.7-beta1 is available
tlyu at MIT.EDU
Wed Apr 22 17:32:19 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
MIT krb5-1.7-beta1 is now available for download from
The main MIT Kerberos web page is
Please send comments to the krbdev list in the next two weeks.
Major changes in 1.7
* Remove support for version 4 of the Kerberos protocol (krb4).
* New libdefaults configuration variable "allow_weak_crypto". NOTE:
Currently defaults to "false", but may default to "true" in a future
release. Setting this variable to "false" will have the effect of
removing weak enctypes (currently defined to be all single-DES
enctypes) from permitted_enctypes, default_tkt_enctypes, and
* Client library now follows client principal referrals, for
compatibility with Windows.
* KDC can issue realm referrals for service principals based on domain
* Encryption algorithm negotiation (RFC 4537).
* In the replay cache, use a hash over the complete ciphertext to
avoid false-positive replay indications.
* Microsoft GSS_WrapEX, implemented using the gss_iov API, which is
similar to the equivalent SSPI functionality.
* DCE RPC, including three-leg GSS context setup and unencapsulated
* NTLM recognition support in GSS-API, to facilitate dropping in an
* KDC support for principal aliases, if the back end supports them.
* Microsoft set/change password (RFC 3244) protocol in kadmind.
* Incremental propagation support for the KDC database.
* Master key rollover support.
* Flexible Authentication Secure Tunneling (FAST), a preauthentiation
framework that can protect the AS exchange from dictionary attack.
* Implement client support for GSS_C_DELEG_POLICY_FLAG, which allows a
GSS application to delegate credentials only if permitted by KDC
policy. One minor known bug, which will probably be fixed by final
release, occurs when this functionality is used with cross-realm
authentication; see RT ticket #6473.
* Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 --
various vulnerabilities in SPNEGO and ASN.1 code.
For a more complete list of changes, please consult
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)
-----END PGP SIGNATURE-----
More information about the krbdev