krb5-1.8.3-beta1 is available

Tom Yu tlyu at MIT.EDU
Sun Jul 25 15:22:17 EDT 2010

Hash: SHA1

MIT krb5-1.8.3-beta1 is now available for download from

The main MIT Kerberos web page is

We welcome any additional comments on the GSS-API behavior change
described among the major changes below.  This release is the code
freeze for the krb5-1.8.3 release, which will probably have a final
release early next week.  Please send comments to the krbdev list.

The README file contains a more extensive list of changes.

The Data Encryption Standard (DES) is widely recognized as weak.  The
krb5-1.7 release contains measures to encourage sites to migrate away
- From using single-DES cryptosystems.  Among these is a configuration
variable that enables "weak" enctypes, which now defaults to "false"
beginning with krb5-1.8.  The krb5-1.8 release includes additional
measures to ease the transition away from single-DES.  These
additional measures include:

* enctype config enhancements (so you can do "DEFAULT +des", etc.)
* new API to allow applications (e.g. AFS) to explicitly reenable weak
* easier kadmin history key changes

Major changes in 1.8.3
- ----------------------

* Behavior Change:

    GSS-API context expiration -- the gss_wrap and gss_unwrap
    functions no longer check for ticket expiration.  Applications
    wishing to enforce ticket lifetimes should check using the
    gss_inquire_context function.  The previous behavior of checking
    for ticket expiration produced results that were not expected by
    application developers, and could lead to poor user experience.

* Fix an interoperability issue when the Microsoft HMAC-MD5 checksum
  type was used with non-RC4 keys.

* Fix an interoperability issue with ephemeral Diffie-Hellman key
  exchange in PKINIT that would happen for less than 1% of
Version: GnuPG v1.4.8 (SunOS)


More information about the krbdev mailing list