Kerberos 5 Release 1.13

• Announcement
• README file
• Known Bugs
• Documentation
• Retrieving

Kerberos 5 Release 1.13 is now available

The MIT Kerberos Team announces the availability of the krb5-1.13 release. The detached PGP signature is available without going through the download page, if you wish to verify the authenticity of a distribution you have obtained elsewhere.

Please see the README file for a more complete list of changes.

You may also see the current full list of fixed bugs tracked in our RT bugtracking system.

DES transition

The Data Encryption Standard (DES) is widely recognized as weak. The krb5-1.7 release contains measures to encourage sites to migrate away from using single-DES cryptosystems. Among these is a configuration variable that enables "weak" enctypes, which now defaults to "false" beginning with krb5-1.8.

Major changes in 1.13 (2014-10-15)

Administrator experience:

• Add support for accessing KDCs via an HTTPS proxy server using the MS-KKDCP protocol.
• Add support for hierarchical incremental propagation, where slaves can act as intermediates between an upstream master and other downstream slaves.
• Add support for configuring GSS mechanisms using /etc/gss/mech.d/*.conf files in addition to /etc/gss/mech.
• Add support to the LDAP KDB module for binding to the LDAP server using SASL.
• The KDC listens for TCP connections by default.
• Fix a minor key disclosure vulnerability where using the "keepold" option to the kadmin randkey operation could return the old keys. [CVE-2014-5351]

User experience:

• Add client support for the Kerberos Cache Manager protocol. If the host is running a Heimdal kcm daemon, caches served by the daemon can be accessed with the KCM: cache type.
• When built on OS X 10.7 and higher, use "KCM:" as the default cache type, unless overridden by command-line options or krb5-config values.

Performance:

• Add support for doing unlocked database dumps for the DB2 KDC back end, which would allow the KDC and kadmind to continue accessing the database during lengthy database dumps.

Retrieving Kerberos 5 Release 1.13

You may retrieve the Kerberos 5 Release 1.13 source from here. If you need to acquire the sources from some other distribution site, you may verify them against the detached PGP signature for krb5-1.13.