krb5-1.14-beta1 is available

Tom Yu tlyu at
Fri Oct 9 21:13:55 EDT 2015

This is a challenging to explain concisely, but basically in Kerberos,
3DES and RC4 are still reasonably strong for randomly generated keys but
not for password-derived ones.

krb5-devel/doc is master, not the release branch, but it's close enough
for now.


Wang Weijun < at> writes:

> You mean all 3DES and RC4 etypes as described in I see 16 and 23 still not marked weak in
> BTW, is the krb5-devel/doc pages always synced with the latest public beta?
> Thanks
> Max
>> On Oct 10, 2015, at 4:44 AM, Tom Yu <tlyu at> wrote:
>> * Remove the triple-DES and RC4 encryption types from the default
>>  value of supported_enctypes, which determines the default key and
>>  salt types for new password-derived keys.  By default, keys will
>>  only created only for AES128 and AES256.  This mitigates some types
>>  of password guessing attacks.

More information about the krbdev mailing list