krb5-1.7-beta1 is available

Tom Yu tlyu at MIT.EDU
Wed Apr 22 17:32:19 EDT 2009

Hash: SHA1

MIT krb5-1.7-beta1 is now available for download from

The main MIT Kerberos web page is

Please send comments to the krbdev list in the next two weeks.

Major changes in 1.7
- --------------------

* Remove support for version 4 of the Kerberos protocol (krb4).

* New libdefaults configuration variable "allow_weak_crypto".  NOTE:
  Currently defaults to "false", but may default to "true" in a future
  release.  Setting this variable to "false" will have the effect of
  removing weak enctypes (currently defined to be all single-DES
  enctypes) from permitted_enctypes, default_tkt_enctypes, and

* Client library now follows client principal referrals, for
  compatibility with Windows.

* KDC can issue realm referrals for service principals based on domain

* Encryption algorithm negotiation (RFC 4537).

* In the replay cache, use a hash over the complete ciphertext to
  avoid false-positive replay indications.

* Microsoft GSS_WrapEX, implemented using the gss_iov API, which is
  similar to the equivalent SSPI functionality.

* DCE RPC, including three-leg GSS context setup and unencapsulated
  GSS tokens.

* NTLM recognition support in GSS-API, to facilitate dropping in an
  NTLM implementation.

* KDC support for principal aliases, if the back end supports them.

* Microsoft set/change password (RFC 3244) protocol in kadmind.

* Incremental propagation support for the KDC database.

* Master key rollover support.

* Flexible Authentication Secure Tunneling (FAST), a preauthentiation
  framework that can protect the AS exchange from dictionary attack.

* Implement client support for GSS_C_DELEG_POLICY_FLAG, which allows a
  GSS application to delegate credentials only if permitted by KDC
  policy.  One minor known bug, which will probably be fixed by final
  release, occurs when this functionality is used with cross-realm
  authentication; see RT ticket #6473.

* Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 --
  various vulnerabilities in SPNEGO and ASN.1 code.

For a more complete list of changes, please consult
Version: GnuPG v1.4.8 (SunOS)


More information about the krbdev mailing list