Kerberos 5 Release 1.7 is now available

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology. Kerberos is available in many commercial products as well.

The krb5-1.7 release contains a large number of changes, featuring improvements in the following broad areas:

  • Compatibility with Microsoft Windows
  • Administrator experience
  • User experience
  • Code quality
  • Protocol evolution.

Compatibility with Microsoft Windows:

  • Follow client principal referrals in the client library when obtaining initial tickets.
  • KDC can issue realm referrals for service principals based on domain names.
  • Extensions supporting DCE RPC, including three-leg GSS context setup and unencapsulated GSS tokens inside SPNEGO.
  • Microsoft GSS_WrapEX, implemented using the gss_iov API, which is similar to the equivalent SSPI functionality. This is needed to support some instances of DCE RPC.
  • NTLM recognition support in GSS-API, to facilitate dropping in an NTLM implementation for improved compatibility with older releases of Microsoft Windows.
  • KDC support for principal aliases, if the back end supports them. Currently, only the LDAP back end supports aliases.
  • Support Microsoft set/change password (RFC 3244) protocol in kadmind.
  • Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which allows a GSS application to request credential delegation only if permitted by KDC policy.

Administrator experience:

  • Install header files for the administration API, allowing third-party software to manipulate the KDC database.
  • Incremental propagation support for the KDC database.
  • Master key rollover support, making it easier to change master key passwords or encryption types.
  • New libdefaults configuration variable “allow_weak_crypto”. NOTE: Currently defaults to “true”, but may default to “false” in a future release. Setting this variable to “false” will have the effect of removing weak enctypes (currently defined to be all single-DES enctypes) from permitted_enctypes, default_tkt_enctypes, and default_tgs_enctypes.

User experience:

  • Provide enhanced GSS-API error message including supplementary details about error conditions.
  • In the replay cache, use a hash over the complete ciphertext to avoid false-positive replay indications.

Code quality:

  • Replace many uses of “unsafe” string functions. While most of these instances were innocuous, they impeded efficient automatic and manual static code analysis.
  • Fix many instances of resource leaks and similar bugs identified by static analysis tools.
  • Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 — various vulnerabilities in SPNEGO and ASN.1 code.

Protocol evolution:

  • Remove support for version 4 of the Kerberos protocol (krb4).
  • Encryption algorithm negotiation (RFC 4537), allowing clients and application services to negotiate stronger encryption than their KDC supports.
  • Flexible Authentication Secure Tunneling (FAST), a preauthentiation framework that can protect the AS exchange from dictionary attacks on weak user passwords.

You may retrieve the Kerberos 5 Release 1.7 source from here.