krb5-1.11-beta2 is available

Tom Yu tlyu at MIT.EDU
Wed Dec 12 22:23:00 EST 2012

Hash: SHA1

MIT krb5-1.11-beta2 is now available for download from

The main MIT Kerberos web page is

Please send comments to the krbdev list.  The final release will
probably occur early next week.  The README file contains a more
extensive list of changes.

Changes since 1.11-beta1 (from a README diff):

+7447    Fix warnings in doc build
+7455    Documentation: table formating and ref correction in MIT
+        features
+7456    Documentation: Update 1.11 feature list
+7457    camellia needs key_cleanup() routine
+7459    Remove broken clean_hostname trace messages
+7460    Add first-introduced version for
+        krb5_get_init_creds_opt_set_in_ccache() in doxygen markup
+7461    Remove .doctrees when cleaning src/doc
+7462    Move Release tag to the footer in Sphinx html documentation
+7464    Remove "Test coverage" topic from Sphinx documentation
+7466    Do not generate unused parts of toctree
+7467    Do not include hidden files in the sidebar
+7468    Make sphinx warnings fatal for doc build
+7469    Reformat RST to avoid sphinx warnings
+7470    Note notice.txt's dependency on
+7471    Fix typo
+7472    Document parameter expansion for keytab and ccache
+        configuration options
+7474    Update comments about conflicting KRB5_KEYUSAGE_PA types
+7477    Document account lockout configuration
+7479    Build fixes for windows
+7480    Cross-reference account lockout documentation
+7482    Make resources.rst more useful to non-devs
+7483    KDC can return host referral to its own realm
+7488    Various nits in krb5-1.10.3
+7489    Do not document unused symbols
+7490    Update comments for RFC 3244 kpasswd extensions
+7491    Make building docs easier in an unconfigured tree
+7494    Regenerate checked-in man pages
+7496    Document API for getting anonymous tickets

Major changes in 1.11
Additional background information on these changes may be found at


Code quality:

* Improve ASN.1 support code, making it table-driven for decoding as
  well as encoding

* Refactor parts of KDC

Developer experience:

* Documentation consolidation

* Add a new API krb5_kt_have_content() to determine whether a keytab
  exists and contains any entries.

* Add a new API krb5_cccol_have_content() to determine whether the
  ccache collection contains any credentials.

* Add a new API krb5_kt_client_default() to resolve the default client

* Add new APIs gss_export_cred and gss_import_cred to serialize and
  unserialize GSSAPI credentials.

* Add a krb5_get_init_creds_opt_set_in_ccache() option.

* Add get_cc_config() and set_cc_config() clpreauth callbacks for
  getting string attribute values from an in_ccache and storing them
  in an out_ccache, respectively.

* Add a plugin interface for GSSAPI interposer mechanisms.

* Add an optional responder callback to the krb5_get_init_creds
  functions. The responder callback can consider and answer all
  preauth-related questions at once, and can process more complicated
  questions than the prompter.

* Add a method to the clpreauth interface to allow modules to supply
  response items for consideration by the responder callback.

* Projects/Password_response_item

* Add GSSAPI extensions to allow callers to specify credential store
  locations when acquiring or storing credentials

* Add a new API krb5_kt_client_default() to resolve the default client

Administrator experience:

* Documentation consolidation

* Add parameter expansion for default_keytab_name and
  default_client_keytab_name profile variables.

* Add new default_ccache_name profile variable to override the
  built-in default credential cache name.

* Add configure-time support for changing the built-in ccache and
  keytab names.

* Add krb5-config options for displaying the built-in ccache and
  keytab names.

* In the default build, use the system's built-in ccache and keytab
  names if they can be discovered using krb5-config.

* Add support for a "default client keytab". Its location is
  determined by the KRB5_CLIENT_KTNAME environment variable, the
  default_client_keytab profile relation, or a hardcoded path (TBD).

* GSSAPI initiator applications can now acquire credentials
  automatically from the default client keytab, if one is available.

* Add client support for FAST OTP (RFC 6560)

End-user experience:

* Documentation consolidation

* Store metadata in the ccache about how a credential was acquired, to
  improve the user's experience when reacquiring

* Projects/Extensible_Policy


* Improve KDC lookaside cache performance

Protocol evolution:

* Add client support for FAST OTP (RFC 6560)

* Build Camellia encryption support by default
Version: GnuPG v1.4.8 (SunOS)


More information about the krbdev mailing list