krb5-1.21 is released
ghudson at mit.edu
Tue Jun 6 01:06:32 EDT 2023
-----BEGIN PGP SIGNED MESSAGE-----
The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.21. Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.
RETRIEVING KERBEROS 5 RELEASE 1.21
You may retrieve the Kerberos 5 Release 1.21 source from the
The homepage for the krb5-1.21 release is:
Further information about Kerberos 5 may be found at the following
and at the MIT Kerberos Consortium web site:
Beginning with release 1.20, the KDC will include minimal PACs in
tickets instead of AD-SIGNEDPATH authdata. S4U requests (protocol
transition and constrained delegation) must now contain valid PACs in
the incoming tickets. Beginning with release 1.21, service ticket
PACs will contain a new KDC checksum buffer, to mitigate a hash
collision attack against the old KDC checksum. If only some KDCs in a
realm have been upgraded across versions 1.20 or 1.21, the upgraded
KDCs will reject S4U requests containing tickets from non-upgraded
KDCs and vice versa.
Triple-DES and RC4 transitions
Beginning with the krb5-1.21 release, the KDC will not issue tickets
with triple-DES or RC4 session keys unless explicitly configured using
the new allow_des3 and allow_rc4 variables in [libdefaults]. To
facilitate the negotiation of session keys, the KDC will assume that
all services can handle aes256-sha1 session keys unless the service
principal has a session_enctypes string attribute.
Beginning with the krb5-1.19 release, a warning will be issued if
initial credentials are acquired using the des3-cbc-sha1 encryption
type. Beginning with the krb5-1.21 release, a warning will also be
issued for the arcfour-hmac encryption type. In future releases,
these encryption types will be disabled by default and eventually
Beginning with the krb5-1.18 release, all support for single-DES
encryption types has been removed.
Major changes in 1.21 (2023-06-05)
* Added a credential cache type providing compatibility with the macOS
11 native credential cache.
* libkadm5 will use the provided krb5_context object to read
configuration values, instead of creating its own.
* Added an interface to retrieve the ticket session key from a GSS
* The KDC will no longer issue tickets with RC4 or triple-DES session
keys unless explicitly configured with the new allow_rc4 or
allow_des3 variables respectively.
* The KDC will assume that all services can handle aes256-sha1 session
keys unless the service principal has a session_enctypes string
* Support for PAC full KDC checksums has been added to mitigate an
S4U2Proxy privilege escalation attack.
* The PKINIT client will advertise a more modern set of supported CMS
* Removed unused code in libkrb5, libkrb5support, and the PKINIT
* Modernized the KDC code for processing TGS requests, the code for
encrypting and decrypting key data, the PAC handling code, and the
GSS library packet parsing and composition code.
* Improved the test framework's detection of memory errors in daemon
processes when used with asan.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
kerberos-announce mailing list
kerberos-announce at mit.edu
More information about the krbdev