krb5-1.7-beta3 is available

Tom Yu tlyu at MIT.EDU
Tue May 26 18:40:59 EDT 2009

Hash: SHA1

MIT krb5-1.7-beta3 is now available for download from

The main MIT Kerberos web page is

Please send comments to the krbdev list in the next week.  We expect
to release around June 1.  Changes since krb5-1.7-beta2 are:

+6486    t_pac fails on SPARC Solaris
+6488    NFS fails to work with KRB5 1.7
+6489    UCS2 support doesn't handle upper half of BMP
+6490    Windows interop with RC4 TGS-REQ subkeys
+6492    Remove spurious assertion in handle_authdata
+6493    some fixes for 1.7
+6495    Fix test rules for non-gmake make versions
+6496    Fix vector initialization error in KDC preauth code
+6497    kinit/fast usage message
+6498    spnego_mech.c syntax error under _GSS_STATIC_LINK
+6499    use printf format attribute only with gcc
+6500    use correct type for krb5_c_prf_length length arg
+6501    Temporarily disable FAST PKINIT for 1.7 release
+6502    typo in doc/api/krb5.tex
+6503    typo in admin.texinfo

Major changes in 1.7
- --------------------

* Remove support for version 4 of the Kerberos protocol (krb4).

* New libdefaults configuration variable "allow_weak_crypto".  NOTE:
  Currently defaults to "true", but may default to "false" in a future
  release.  Setting this variable to "false" will have the effect of
  removing weak enctypes (currently defined to be all single-DES
  enctypes) from permitted_enctypes, default_tkt_enctypes, and

* Client library now follows client principal referrals, for
  compatibility with Windows.

* KDC can issue realm referrals for service principals based on domain

* Encryption algorithm negotiation (RFC 4537).

* In the replay cache, use a hash over the complete ciphertext to
  avoid false-positive replay indications.

* Microsoft GSS_WrapEX, implemented using the gss_iov API, which is
  similar to the equivalent SSPI functionality.

* DCE RPC, including three-leg GSS context setup and unencapsulated
  GSS tokens.

* NTLM recognition support in GSS-API, to facilitate dropping in an
  NTLM implementation.

* KDC support for principal aliases, if the back end supports them.
  Currently, only the LDAP back end supports aliases.

* Microsoft set/change password (RFC 3244) protocol in kadmind.

* Incremental propagation support for the KDC database.

* Master key rollover support.

* Flexible Authentication Secure Tunneling (FAST), a preauthentiation
  framework that can protect the AS exchange from dictionary attack.

* Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which
  allows a GSS application to request credential delegation only if
  permitted by KDC policy.

* Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 --
  various vulnerabilities in SPNEGO and ASN.1 code.

For a more complete list of changes, please consult
Version: GnuPG v1.4.8 (SunOS)


More information about the krbdev mailing list