krb5-1.16-beta1 is available
ghudson at mit.edu
Thu Oct 5 13:42:04 EDT 2017
-----BEGIN PGP SIGNED MESSAGE-----
MIT krb5-1.16-beta1 is now available for download from
The main MIT Kerberos web page is
Please send comments to the krbdev list. We plan for the final
release to occur in about two months. The README file contains a more
extensive list of changes.
Major changes in 1.16
* The KDC can match PKINIT client certificates against the
"pkinit_cert_match" string attribute on the client principal entry,
using the same syntax as the existing "pkinit_cert_match" profile
* The ktutil addent command supports the "-k 0" option to ignore the
key version, and the "-s" option to use a non-default salt string.
* kpropd supports a --pid-file option to write a pid file at startup,
when it is run in standalone mode.
* The "encrypted_challenge_indicator" realm option can be used to
attach an authentication indicator to tickets obtained using FAST
encrypted challenge pre-authentication.
* Localization support can be disabled at build time with the
--disable-nls configure option.
* The kdcpolicy pluggable interface allows modules control whether
tickets are issued by the KDC.
* The kadm5_auth pluggable interface allows modules to control whether
kadmind grants access to a kadmin request.
* The certauth pluggable interface allows modules to control which
PKINIT client certificates can authenticate to which client
* KDB modules can use the client and KDC interface IP addresses to
determine whether to allow an AS request.
* GSS applications can query the bit strength of a krb5 GSS context
using the GSS_C_SEC_CONTEXT_SASL_SSF OID with
* GSS applications can query the impersonator name of a krb5 GSS
credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with
* kdcpreauth modules can query the KDC for the canonicalized requested
client principal name, or match a principal name against the
requested client principal name with canonicalization.
* The client library will continue to try pre-authentication
mechanisms after most failure conditions.
* The KDC will issue trivially renewable tickets (where the renewable
lifetime is equal to or less than the ticket lifetime) if requested
by the client, to be friendlier to scripts.
* The client library will use a random nonce for TGS requests instead
of the current system time.
* For the RC4 string-to-key or PAC operations, UTF-16 is supported
(previously only UCS-2 was supported).
* When matching PKINIT client certificates, UPN SANs will be matched
correctly as UPNs, with canonicalization.
* Dates after the year 2038 are accepted (provided that the platform
time facilities support them), through the year 2106.
* Automatic credential cache selection based on the client realm will
take into account the fallback realm and the service hostname.
* Referral and alternate cross-realm TGTs will not be cached, avoiding
some scenarios where they can be added to the credential cache
* A German translation has been added.
* The build is warning-clean under clang with the configured warning
* The automated test suite runs cleanly under AddressSanitizer.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
More information about the krbdev