krb5-1.15-beta2 is available

Tom Yu tlyu at
Wed Nov 16 15:23:29 EST 2016

Hash: SHA1

MIT krb5-1.15-beta2 is now available for download from

The main MIT Kerberos web page is

Please send comments to the krbdev list.  We plan for the final release
to occur in a couple of weeks.  The README file contains a more
extensive list of changes.

Major changes in 1.15

Administrator experience:

* Add support to kadmin for remote extraction of current keys without
  changing them (requires a special kadmin permission that is excluded
  from the wildcard permission), with the exception of highly
  protected keys.

* Add a lockdown_keys principal attribute to prevent retrieval of the
  principal's keys (old or new) via the kadmin protocol.  In newly
  created databases, this attribute is set on the krbtgt and kadmin

* Restore recursive dump capability for DB2 back end, so sites can
  more easily recover from database corruption resulting from power
  failure events.

* Add DNS auto-discovery of KDC and kpasswd servers from URI records,
 in addition to SRV records.  URI records can convey TCP and UDP
 servers and master KDC status in a single DNS lookup, and can also
 point to HTTPS proxy servers.

* Add support for password history to the LDAP back end.

* Add support for principal renaming to the LDAP back end.

* Use the getrandom system call on supported Linux kernels to avoid
  blocking problems when getting entropy from the operating system.

* In the PKINIT client, use the correct DigestInfo encoding for PKCS
  #1 signatures, so that some especially strict smart cards will work.

Code quality:

* Clean up numerous compilation warnings.

* Remove various infrequently built modules, including some preauth
  modules that were not built by default.

Developer experience:

* Add support for building with OpenSSL 1.1.

* Use SHA-256 instead of MD5 for (non-cryptographic) hashing of
  authenticators in the replay cache.  This helps sites that must
  build with FIPS 140 conformant libraries that lack MD5.

Protocol evolution:

* Add support for the AES-SHA2 enctypes, which allows sites to conform
  to Suite B crypto requirements.
Version: GnuPG v1


More information about the krbdev mailing list