krb5-1.8-beta2 is available

Tom Yu tlyu at MIT.EDU
Fri Feb 26 12:50:51 EST 2010

Marcus Watts <mdw at> writes:

> The README file says
>> variable that enables "weak" enctypes, which now defaults to "false"
>> beginning with krb5-1.8.  The krb5-1.8 release includes additional
>> measures to ease the transition away from single-DES.
> The README doesn't say what those other measures are.

You're right; we should more obviously state what those measures are.
Off the top of my head:

* enctype config enhancements (so you can do "DEFAULT +des", etc.)
* new API to allow applications (e.g. AFS) to explicitly reenable weak
* some stuff related to the kadmin history key

Am I missing anything?

> As folks said, you don't have krb5-1.8b1-getprinc.patch.

Thank you for that patch.  We are holding it for the 1.8.1 patch

> Things that I'd love to see in some future version of the code,
> * a configure option that actually *removes* the single-des
>   cryptosystem from the built code (as opposed to merely disabling it).

We considered the related idea of outright removing the code that does
single-DES.  Having a configure option to not build the single-DES
code does sound better.  It's an awfully big hammer, but I can see why
some sites might want that.

How soon do people think it would be appropriate to add such an
option? (It won't achieve much code size reduction unless it also
removes triple-DES, at least if building the builtin crypto.)

> * python 2.6 support.

By this do you mean API bindings in python?  For which APIs?

More information about the krbdev mailing list