krb5-1.15-beta1 is available
tlyu at mit.edu
Thu Oct 20 16:15:49 EDT 2016
-----BEGIN PGP SIGNED MESSAGE-----
MIT krb5-1.15-beta1 is now available for download from
The main MIT Kerberos web page is
Please send comments to the krbdev list. We plan for the final release
to occur in about a month. The README file contains a more extensive
list of changes.
Major changes in 1.15
* Add support to kadmin for remote extraction of current keys without
changing them (requires a special kadmin permission that is excluded
from the wildcard permission), with the exception of highly
* Add a lockdown_keys principal attribute to prevent retrieval of the
principal's keys (old or new) via the kadmin protocol. In newly
created databases, this attribute is set on the krbtgt and kadmin
* Restore recursive dump capability for DB2 back end, so sites can
more easily recover from database corruption resulting from power
* Add DNS auto-discovery of KDC and kpasswd servers from URI records,
in addition to SRV records. URI records can convey TCP and UDP
servers and master KDC status in a single DNS lookup, and can also
point to HTTPS proxy servers.
* Add support for password history to the LDAP back end.
* Add support for principal renaming to the LDAP back end.
* Use the getrandom system call on supported Linux kernels to avoid
blocking problems when getting entropy from the operating system.
* Clean up numerous compilation warnings.
* Remove various infrequently built modules, including some preauth
modules that were not built by default.
* Add support for building with OpenSSL 1.1.
* Use SHA-256 instead of MD5 for (non-cryptographic) hashing of
authenticators in the replay cache. This helps sites that must
build with FIPS 140 conformant libraries that lack MD5.
* Add support for the AES-SHA2 enctypes, which allows sites to conform
to Suite B crypto requirements.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
More information about the krbdev