krb5-1.22-beta1 is available

Greg Hudson ghudson at mit.edu
Thu May 8 13:07:32 EDT 2025 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

MIT krb5-1.22-beta1 is now available for download from

         https://kerberos.org/dist/testing.html

The main MIT Kerberos web page is

         https://web.mit.edu/kerberos/

Please send comments to the krbdev list.  We plan for the final
release to occur in about two months.  The README file contains a more
extensive list of changes.

PAC transitions
- ---------------

Beginning with release 1.20, the KDC will include minimal PACs in
tickets instead of AD-SIGNEDPATH authdata.  S4U requests (protocol
transition and constrained delegation) must now contain valid PACs in
the incoming tickets.  Beginning with release 1.21, service ticket
PACs will contain a new KDC checksum buffer, to mitigate a hash
collision attack against the old KDC checksum.  If only some KDCs in a
realm have been upgraded across versions 1.20 or 1.21, the upgraded
KDCs will reject S4U requests containing tickets from non-upgraded
KDCs and vice versa.

Triple-DES and RC4 transitions
- ------------------------------

Beginning with the krb5-1.21 release, the KDC will not issue tickets
with triple-DES or RC4 session keys unless explicitly configured using
the new allow_des3 and allow_rc4 variables in [libdefaults].  To
facilitate the negotiation of session keys, the KDC will assume that
all services can handle aes256-sha1 session keys unless the service
principal has a session_enctypes string attribute.

Beginning with the krb5-1.19 release, a warning will be issued if
initial credentials are acquired using the des3-cbc-sha1 encryption
type.  Beginning with the krb5-1.21 release, a warning will also be
issued for the arcfour-hmac encryption type.  In future releases,
these encryption types will be disabled by default and eventually
removed.

Beginning with the krb5-1.18 release, all support for single-DES
encryption types has been removed.

Major changes in 1.22
- ---------------------

User experience:

* The libdefaults configuration variable "request_timeout" can be set
  to limit the total timeout for KDC requests.  When making a KDC
  request, the client will now wait indefinitely (or until the request
  timeout has elapsed) on a KDC which accepts a TCP connection,
  without contacting any additional KDCs.  Clients will make fewer DNS
  queries in some configurations.

* The realm configuration variable "sitename" can be set to cause the
  client to query site-specific DNS records when making KDC requests.

Administrator experience:

* Principal aliases are supported in the DB2 and LMDB KDB modules and
  in the kadmin protocol.  (The LDAP KDB module has supported aliases
  since release 1.7.)

* UNIX domain sockets are supported for the Kerberos and kpasswd
  protocols.

* systemd socket activation is supported for krb5kdc and kadmind.

Developer experience:

* KDB modules can be be implemented in terms of other modules using
  the new krb5_db_load_module() function.

* The profile library supports the modification of empty profiles and
  the copying of modified profiles, making it possible to construct an
  in-memory profile and pass it to krb5_init_context_profile().

* GSS-API applications can pass the GSS_C_CHANNEL_BOUND flag to
  gss_init_sec_context() to request strict enforcement of channel
  bindings by the acceptor.

Protocol evolution:

* The PKINIT preauth module supports elliptic curve client
  certificates, ECDH key exchange, and the Microsoft paChecksum2
  field.

* The IAKERB implementation has been changed to comply with the most
  recent draft standard and to support realm discovery.

* Message-Authenticator is supported in the RADIUS implementation used
  by the OTP kdcpreauth module.

Code quality:

* Removed old-style function declarations, to accomodate compilers
  which have removed support for them.

* Added OSS-Fuzz to the project's continuous integration
  infrastructure.

* Rewrote the GSS per-message token parsing code for improved safety.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmgc4/QACgkQDLoIV1+D
ct8MzxAAxGwx5XXANJNFcveYyz5VGyz3qjnSUpnEDWJoOTIyo36yIPzn3IL4nKYh
pMiqxFt77a23dzZGhSqr3GLqDK8OfgBFx5npLDMKvTmdewOLZubpBMYwnwJCMRmE
LKI+5nC4IaF+mXUghBV1rLVRVgXYZ8IfOVoeKnyQ3ECeazeGRpTMBOtVVm9x4DyW
pz0SfBJTp57ASbr335Qzja2O8dFYnpT6WsYXdgXsuNNSfrqaFfB7hvTp4euUgGEA
ESbJUaOFfPAo7EGHg1WYYlsAqlEVkgfOGq47EqlepofPdeM358Qz86vTwgnNsTjr
9e7kIV6u89PeICYotSqdazxoh3c2xC6Y34YDXGcHgq/hQcyu27mt18sv2HyYn+6+
/Vddl9sSeccZ9lldrj+iXXTXkEn+l9oJNKs5lDeKlmVPRBpwntGE5Wjww65Si/Hy
QHrhvqBWucx3pQjmmvLQ85emkmg+nvUioJuIZX32rlkyZaDpTcYAtjgh6d4UCcXc
p9SLxuQzJs/9DjFJhSmuJvTcLcB+i4BgxSBeMe3Ybkh6yMWGbXHP7rRqCtfIQ/kf
qYKWqiQdNI7SDSRgAvzMKZ3I4r+9tlv1eP3YIW89m6OmtjQdbAHRdU6udfRe4Fzi
pKyvSpDrgRTw5mUB/BhOEGUWS7dnfxiLTwpWQB8XP9VOSIA69rE=
=t0Oi
-----END PGP SIGNATURE-----

More information about the krbdev mailing list