krb5-1.9-beta3 is available

Tom Yu tlyu at MIT.EDU
Thu Dec 16 14:38:23 EST 2010

Hash: SHA1

MIT krb5-1.9-beta3 is now available for download from

The main MIT Kerberos web page is

Please send comments to the krbdev list.  This is beta release
intended to be the code freeze for the 1.9 release.  The final release
will probably occur in the next week.  The README file contains a more
extensive list of changes.

Changes since 1.9-beta2 include fixing an Open Directory interop
problem and fixing a regression in the handling of renewable tickets.

Major changes in 1.9
- --------------------

Code quality:

* Fix MITKRB5-SA-2010-007 checksum vulnerabilities (CVE-2010-1324 and others)
* Python-based testing framework
* DAL cleanup

Developer experience:

* NSS crypto back end
* PRNG modularity
* Fortuna-like PRNG


* Account lockout performance improvements -- allow disabling of some
  account lockout functionality to reduce the number of write
  operations to the database during authentication

Administrator experience:

* Trace logging -- for easier diagnosis of configuration problems

* Support for purging old keys (e.g. from "cpw -randkey -keepold")

* Plugin interface for password sync -- based on proposed patches by
  Russ Allbery that support his krb5-sync package

* Plugin interface for password quality checks -- enables pluggable
  password quality checks similar to Russ Allbery's krb5-strength

* Configuration file validator

* KDC support for SecurID preauthentication -- This is the old SAM-2
  protocol, implemented to support existing deployments, not the
  in-progress FAST-OTP work.

Protocol evolution:

* IAKERB -- a mechanism for tunneling Kerberos KDC transactions over
  GSS-API, enabling clients to authenticate to services even when the
  clients cannot directly reach the KDC that serves the services.

* Camellia encryption (experimental; disabled by default)
Version: GnuPG v1.4.8 (SunOS)


More information about the krbdev mailing list