Kerberos 5 Release 1.9.1

• Announcement
• README file
• Known Bugs
• Documentation
• Retrieving

Kerberos 5 Release 1.9.1 is now available

The MIT Kerberos Team announces the availability of the krb5-1.9.1 release. The detached PGP signature is available without going through the download page, if you wish to verify the authenticity of a distribution you have obtained elsewhere.

Please see the README file for a more complete list of changes.

You may also see the current full list of fixed bugs tracked in our RT bugtracking system.

DES transition

The Data Encryption Standard (DES) is widely recognized as weak. The krb5-1.7 release contains measures to encourage sites to migrate away from using single-DES cryptosystems. Among these is a configuration variable that enables "weak" enctypes, which now defaults to "false" beginning with krb5-1.8.

Major changes in 1.9.1

This is primarily a bugfix release.

• Fix vulnerabilities:
  • kpropd denial of service [MITKRB5-SA-2011-001 CVE-2010-4022]
  • KDC denial of service attacks [MITKRB5-SA-2011-002 CVE-2011-0281 CVE-2011-0282 CVE-2011-0283]
  • KDC double-free when PKINIT enabled [MITKRB5-SA-2011-003 CVE-2011-0284]
  • kadmind frees invalid pointer [MITKRB5-SA-2011-004 CVE-2011-0285]
• Interoperability:
  • Don't reject AP-REQ messages if their PAC doesn't validate; suppress the PAC instead.
  • Correctly validate HMAC-MD5 checksums that use DES keys

Major changes in 1.9

Code quality

• Fix MITKRB5-SA-2010-007 checksum vulnerabilities (CVE-2010-1324 and others).
• Add a Python-based testing framework.
• Perform DAL cleanup.

Developer experience

• Add NSS crypto back end.
• Improve PRNG modularity.
• Add a Fortuna-like PRNG back end.

Performance

• Account lockout performance improvements -- allow disabling of some account lockout functionality to reduce the number of write operations to the database during authentication
• Add support for multiple KDC worker processes.

Administrator experience

• Add Trace logging support to ease the diagnosis of configuration problems.
• Add support for purging old keys (e.g. from "cpw -randkey -keepold").
• Add plugin interface for password sync -- based on proposed patches by Russ Allbery that support his krb5-sync package
• Add plugin interface for password quality checks -- enables pluggable password quality checks similar to Russ Allbery's krb5-strength package.
• Add a configuration file validator script.
• Add KDC support for SecurID preauthentication -- this is the old SAM-2 protocol, implemented to support existing deployments, not the in-progress FAST-OTP work.
• Add "cheat" capability for kinit when running on a KDC host.

Protocol evolution

• Add support for IAKERB -- a mechanism for tunneling Kerberos KDC transactions over GSS-API, enabling clients to authenticate to services even when the clients cannot directly reach the KDC that serves the services.
• Add support for Camellia encryption (experimental; disabled by default).
• Add GSS-API support for implementors of the SASL GS2 bridge mechanism.

Known Bugs

Known bugs reported against krb5-1.9.1 are listed here.

Documentation for krb5-1.9.1

Please note that the HTML versions of these documents are converted from texinfo, and that the conversion is imperfect. If you want PostScript or GNU info versions, please download the documentation tarball.

• install guide
• user guide
• admin guide
• documentation tarball

Retrieving Kerberos 5 Release 1.9.1

You may retrieve the Kerberos 5 Release 1.9.1 source from here. If you need to acquire the sources from some other distribution site, you may verify them against the detached PGP signature for krb5-1.9.1.