krb5-1.8.3-beta1 is available
tlyu at MIT.EDU
Sun Jul 25 15:22:17 EDT 2010
-----BEGIN PGP SIGNED MESSAGE-----
MIT krb5-1.8.3-beta1 is now available for download from
The main MIT Kerberos web page is
We welcome any additional comments on the GSS-API behavior change
described among the major changes below. This release is the code
freeze for the krb5-1.8.3 release, which will probably have a final
release early next week. Please send comments to the krbdev list.
The README file contains a more extensive list of changes.
The Data Encryption Standard (DES) is widely recognized as weak. The
krb5-1.7 release contains measures to encourage sites to migrate away
- From using single-DES cryptosystems. Among these is a configuration
variable that enables "weak" enctypes, which now defaults to "false"
beginning with krb5-1.8. The krb5-1.8 release includes additional
measures to ease the transition away from single-DES. These
additional measures include:
* enctype config enhancements (so you can do "DEFAULT +des", etc.)
* new API to allow applications (e.g. AFS) to explicitly reenable weak
* easier kadmin history key changes
Major changes in 1.8.3
* Behavior Change:
GSS-API context expiration -- the gss_wrap and gss_unwrap
functions no longer check for ticket expiration. Applications
wishing to enforce ticket lifetimes should check using the
gss_inquire_context function. The previous behavior of checking
for ticket expiration produced results that were not expected by
application developers, and could lead to poor user experience.
* Fix an interoperability issue when the Microsoft HMAC-MD5 checksum
type was used with non-RC4 keys.
* Fix an interoperability issue with ephemeral Diffie-Hellman key
exchange in PKINIT that would happen for less than 1% of
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)
-----END PGP SIGNATURE-----
More information about the krbdev