krb5-1.15.1 is released

Greg Hudson ghudson at
Fri Mar 3 15:41:02 EST 2017

Hash: SHA1

The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.15.1.  Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.


You may retrieve the Kerberos 5 Release 1.15.1 source from the
following URL:

The homepage for the krb5-1.15.1 release is:

Further information about Kerberos 5 may be found at the following

and at the MIT Kerberos Consortium web site:

DES transition

The Data Encryption Standard (DES) is widely recognized as weak.  The
krb5-1.7 release contains measures to encourage sites to migrate away
from using single-DES cryptosystems.  Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.

Major changes in 1.15.1 (2017-03-01)

This is a bug fix release.

* Allow KDB modules to determine how the e_data field of principal
  fields is freed

* Fix udp_preference_limit when the KDC location is configured with
  SRV records

* Fix KDC and kadmind startup on some IPv4-only systems

* Fix the processing of PKINIT certificate matching rules which have
  two components and no explicit relation

* Improve documentation

Major changes in 1.15 (2016-12-01)

Administrator experience:

* Improve support for multihomed Kerberos servers by adding options
  for specifying restricted listening addresses for the KDC and

* Add support to kadmin for remote extraction of current keys without
  changing them (requires a special kadmin permission that is excluded
  from the wildcard permission), with the exception of highly
  protected keys.

* Add a lockdown_keys principal attribute to prevent retrieval of the
  principal's keys (old or new) via the kadmin protocol.  In newly
  created databases, this attribute is set on the krbtgt and kadmin

* Restore recursive dump capability for DB2 back end, so sites can
  more easily recover from database corruption resulting from power
  failure events.

* Add DNS auto-discovery of KDC and kpasswd servers from URI records,
 in addition to SRV records.  URI records can convey TCP and UDP
 servers and master KDC status in a single DNS lookup, and can also
 point to HTTPS proxy servers.

* Add support for password history to the LDAP back end.

* Add support for principal renaming to the LDAP back end.

* Use the getrandom system call on supported Linux kernels to avoid
  blocking problems when getting entropy from the operating system.

* In the PKINIT client, use the correct DigestInfo encoding for PKCS
  #1 signatures, so that some especially strict smart cards will work.

Code quality:

* Clean up numerous compilation warnings.

* Remove various infrequently built modules, including some preauth
  modules that were not built by default.

Developer experience:

* Add support for building with OpenSSL 1.1.

* Use SHA-256 instead of MD5 for (non-cryptographic) hashing of
  authenticators in the replay cache.  This helps sites that must
  build with FIPS 140 conformant libraries that lack MD5.

* Eliminate util/reconf and allow the use of autoreconf alone to
  regenerate the configure script.

Protocol evolution:

* Add support for the AES-SHA2 enctypes, which allows sites to conform
  to Suite B crypto requirements.
Version: GnuPG v1

kerberos-announce mailing list
kerberos-announce at

More information about the krbdev mailing list