krb5-1.7-beta2 is available
tlyu at MIT.EDU
Tue May 12 19:39:43 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
MIT krb5-1.7-beta2 is now available for download from
The main MIT Kerberos web page is
Please send comments to the krbdev list in the next week. Changes
since krb5-1.7-beta1 are mostly bug fixes, but KDC support for setting
the ok-as-delegate flag is now included.
Major changes in 1.7
* Remove support for version 4 of the Kerberos protocol (krb4).
* New libdefaults configuration variable "allow_weak_crypto". NOTE:
Currently defaults to "true", but may default to "false" in a future
release. Setting this variable to "false" will have the effect of
removing weak enctypes (currently defined to be all single-DES
enctypes) from permitted_enctypes, default_tkt_enctypes, and
* Client library now follows client principal referrals, for
compatibility with Windows.
* KDC can issue realm referrals for service principals based on domain
* Encryption algorithm negotiation (RFC 4537).
* In the replay cache, use a hash over the complete ciphertext to
avoid false-positive replay indications.
* Microsoft GSS_WrapEX, implemented using the gss_iov API, which is
similar to the equivalent SSPI functionality.
* DCE RPC, including three-leg GSS context setup and unencapsulated
* NTLM recognition support in GSS-API, to facilitate dropping in an
* KDC support for principal aliases, if the back end supports them.
Currently, only the LDAP back end supports aliases.
* Microsoft set/change password (RFC 3244) protocol in kadmind.
* Incremental propagation support for the KDC database.
* Master key rollover support.
* Flexible Authentication Secure Tunneling (FAST), a preauthentiation
framework that can protect the AS exchange from dictionary attack.
* Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which
allows a GSS application to request credential delegation only if
permitted by KDC policy.
* Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 --
various vulnerabilities in SPNEGO and ASN.1 code.
For a more complete list of changes, please consult
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)
-----END PGP SIGNATURE-----
More information about the krbdev