krb5-1.8-alpha1 is available

Tom Yu tlyu at
Thu Jan 7 09:47:56 EST 2010

Hash: SHA1

MIT krb5-1.8-alpha1 is now available for download from

The main MIT Kerberos web page is

Please send comments to the krbdev list.

The README file contains a more extensive list of changes.

Major changes in 1.8
- --------------------

The krb5-1.8 release contains a large number of changes, featuring
improvements in the following broad areas:

* Code quality
* Modularity
* Performance
* End-user experience
* Administrator experience
* Protocol evolution

Code quality:

* Move toward test-driven development -- new features have test code,
  or at least written testing procedures.

* Increase conformance to coding style

  + "The great reindent"

  + Selective refactoring


* Crypto modularity -- vendors can more easily substitute their own
  crypto implementations, which might be hardware-accelerated or
  validated to FIPS 140, for the builtin crypto implementation that
  has historically shipped as part of MIT Kerberos.  Currently, only
  an OpenSSL provider is included, but others are possible.

* Move toward improved KDB interface

* Improved API for verifying and interrogating authorization data


* Investigate and remedy repeatedly-reported performance bottlenecks.

* Encryption performance -- new crypto API with opaque key structures,
  to allow for optimizations such as caching of derived keys

End-user experience:

* Reduce DNS dependence by implementing an interface that allows
  client library to track whether a KDC supports service principal

Administrator experience:

* Disable DES by default -- this reduces security exposure from using
  an increasingly insecure cipher.

* More versatile crypto configuration, to simplify migration away from
  DES -- new configuration syntax to allow inclusion and exclusion of
  specific algorithms relative to a default set.

* Account lockout for repeated login failures -- mitigates online
  password guessing attacks, and helps with some enterprise regulatory

Protocol evolution:

* FAST enhancements -- preauthentication framework enhancements

* Microsoft Services for User (S4U) compatibility: S4U2Self, also
  known as "protocol transition", allows for service to ask a KDC for
  a ticket to themselves on behalf of a client authenticated via a
  different means; S4U2Proxy allows a service to ask a KDC for a
  ticket to another service on behalf of a client.

* Anonymous PKINIT -- allows the use of public-key cryptography to
  anonymously authenticate to a realm
Version: GnuPG v1.4.8 (SunOS)


More information about the krbdev mailing list