"Fossies" - the Fresh Open Source Software Archive

Member "krb5-1.18/doc/html/mitK5features.html" (12 Feb 2020, 35838 Bytes) of package /linux/misc/krb5-1.18.tar.gz:


The requested HTML page contains a <FORM> tag that is unusable on "Fossies" in "automatic" (rendered) mode so that page is shown as HTML source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 
    2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    3   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    4 
    5 <html xmlns="http://www.w3.org/1999/xhtml">
    6   <head>
    7     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    8     <title>MIT Kerberos features &#8212; MIT Kerberos Documentation</title>
    9     <link rel="stylesheet" href="_static/agogo.css" type="text/css" />
   10     <link rel="stylesheet" href="_static/pygments.css" type="text/css" />
   11     <link rel="stylesheet" href="_static/kerb.css" type="text/css" />
   12     <script type="text/javascript">
   13       var DOCUMENTATION_OPTIONS = {
   14         URL_ROOT:    './',
   15         VERSION:     '1.18',
   16         COLLAPSE_INDEX: false,
   17         FILE_SUFFIX: '.html',
   18         HAS_SOURCE:  true,
   19         SOURCELINK_SUFFIX: '.txt'
   20       };
   21     </script>
   22     <script type="text/javascript" src="_static/jquery.js"></script>
   23     <script type="text/javascript" src="_static/underscore.js"></script>
   24     <script type="text/javascript" src="_static/doctools.js"></script>
   25     <link rel="author" title="About these documents" href="about.html" />
   26     <link rel="index" title="Index" href="genindex.html" />
   27     <link rel="search" title="Search" href="search.html" />
   28     <link rel="copyright" title="Copyright" href="copyright.html" />
   29     <link rel="next" title="MIT Kerberos License information" href="mitK5license.html" />
   30     <link rel="prev" title="PKINIT freshness tokens" href="formats/freshness_token.html" /> 
   31   </head>
   32   <body>
   33     <div class="header-wrapper">
   34         <div class="header">
   35             
   36             
   37             <h1><a href="index.html">MIT Kerberos Documentation</a></h1>
   38             
   39             <div class="rel">
   40                 
   41         <a href="index.html" title="Full Table of Contents"
   42             accesskey="C">Contents</a> |
   43         <a href="formats/freshness_token.html" title="PKINIT freshness tokens"
   44             accesskey="P">previous</a> |
   45         <a href="mitK5license.html" title="MIT Kerberos License information"
   46             accesskey="N">next</a> |
   47         <a href="genindex.html" title="General Index"
   48             accesskey="I">index</a> |
   49         <a href="search.html" title="Enter search criteria"
   50             accesskey="S">Search</a> |
   51     <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__MIT Kerberos features">feedback</a>
   52             </div>
   53         </div>
   54     </div>
   55 
   56     <div class="content-wrapper">
   57       <div class="content">
   58         <div class="document">
   59             
   60       <div class="documentwrapper">
   61         <div class="bodywrapper">
   62           <div class="body" role="main">
   63             
   64   <div class="toctree-wrapper compound">
   65 </div>
   66 <div class="section" id="mit-kerberos-features">
   67 <span id="mitk5features"></span><h1>MIT Kerberos features<a class="headerlink" href="#mit-kerberos-features" title="Permalink to this headline"></a></h1>
   68 <p><a class="reference external" href="https://web.mit.edu/kerberos">https://web.mit.edu/kerberos</a></p>
   69 <div class="section" id="quick-facts">
   70 <h2>Quick facts<a class="headerlink" href="#quick-facts" title="Permalink to this headline"></a></h2>
   71 <p>License - <a class="reference internal" href="mitK5license.html#mitk5license"><span class="std std-ref">MIT Kerberos License information</span></a></p>
   72 <dl class="docutils">
   73 <dt>Releases:</dt>
   74 <dd><ul class="first last simple">
   75 <li>Latest stable: <a class="reference external" href="https://web.mit.edu/kerberos/krb5-1.18/">https://web.mit.edu/kerberos/krb5-1.18/</a></li>
   76 <li>Supported: <a class="reference external" href="https://web.mit.edu/kerberos/krb5-1.17/">https://web.mit.edu/kerberos/krb5-1.17/</a></li>
   77 <li>Release cycle: approximately 12 months</li>
   78 </ul>
   79 </dd>
   80 <dt>Supported platforms / OS distributions:</dt>
   81 <dd><ul class="first last simple">
   82 <li>Windows (KfW 4.0): Windows 7, Vista, XP</li>
   83 <li>Solaris: SPARC, x86_64/x86</li>
   84 <li>GNU/Linux: Debian x86_64/x86, Ubuntu x86_64/x86, RedHat x86_64/x86</li>
   85 <li>BSD: NetBSD x86_64/x86</li>
   86 </ul>
   87 </dd>
   88 <dt>Crypto backends:</dt>
   89 <dd><ul class="first last simple">
   90 <li>builtin - MIT Kerberos native crypto library</li>
   91 <li>OpenSSL (1.0+) - <a class="reference external" href="https://www.openssl.org">https://www.openssl.org</a></li>
   92 </ul>
   93 </dd>
   94 </dl>
   95 <p>Database backends: LDAP, DB2, LMDB</p>
   96 <p>krb4 support: Kerberos 5 release &lt; 1.8</p>
   97 <p>DES support: Kerberos 5 release &lt; 1.18 (See <a class="reference internal" href="admin/advanced/retiring-des.html#retiring-des"><span class="std std-ref">Retiring DES</span></a>)</p>
   98 </div>
   99 <div class="section" id="interoperability">
  100 <h2>Interoperability<a class="headerlink" href="#interoperability" title="Permalink to this headline"></a></h2>
  101 <p><cite>Microsoft</cite></p>
  102 <p>Starting from release 1.7:</p>
  103 <ul class="simple">
  104 <li>Follow client principal referrals in the client library when
  105 obtaining initial tickets.</li>
  106 <li>KDC can issue realm referrals for service principals based on domain names.</li>
  107 <li>Extensions supporting DCE RPC, including three-leg GSS context setup
  108 and unencapsulated GSS tokens inside SPNEGO.</li>
  109 <li>Microsoft GSS_WrapEX, implemented using the gss_iov API, which is
  110 similar to the equivalent SSPI functionality.  This is needed to
  111 support some instances of DCE RPC.</li>
  112 <li>NTLM recognition support in GSS-API, to facilitate dropping in an
  113 NTLM implementation for improved compatibility with older releases
  114 of Microsoft Windows.</li>
  115 <li>KDC support for principal aliases, if the back end supports them.
  116 Currently, only the LDAP back end supports aliases.</li>
  117 <li>Support Microsoft set/change password (<span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc3244.html"><strong>RFC 3244</strong></a>) protocol in
  118 kadmind.</li>
  119 <li>Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which
  120 allows a GSS application to request credential delegation only if
  121 permitted by KDC policy.</li>
  122 </ul>
  123 <p>Starting from release 1.8:</p>
  124 <ul class="simple">
  125 <li>Microsoft Services for User (S4U) compatibility</li>
  126 </ul>
  127 <p><cite>Heimdal</cite></p>
  128 <ul class="simple">
  129 <li>Support for KCM credential cache starting from release 1.13</li>
  130 </ul>
  131 </div>
  132 <div class="section" id="feature-list">
  133 <h2>Feature list<a class="headerlink" href="#feature-list" title="Permalink to this headline"></a></h2>
  134 <p>For more information on the specific project see <a class="reference external" href="https://k5wiki.kerberos.org/wiki/Projects">https://k5wiki.kerberos.org/wiki/Projects</a></p>
  135 <dl class="docutils">
  136 <dt>Release 1.7</dt>
  137 <dd><ul class="first last simple">
  138 <li>Credentials delegation                   <span class="target" id="index-1"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc5896.html"><strong>RFC 5896</strong></a></li>
  139 <li>Cross-realm authentication and referrals <span class="target" id="index-2"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc6806.html"><strong>RFC 6806</strong></a></li>
  140 <li>Master key migration</li>
  141 <li>PKINIT                                   <span class="target" id="index-3"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a> <a class="reference internal" href="admin/pkinit.html#pkinit"><span class="std std-ref">PKINIT configuration</span></a></li>
  142 </ul>
  143 </dd>
  144 <dt>Release 1.8</dt>
  145 <dd><ul class="first last simple">
  146 <li>Anonymous PKINIT         <span class="target" id="index-4"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc6112.html"><strong>RFC 6112</strong></a> <a class="reference internal" href="admin/pkinit.html#anonymous-pkinit"><span class="std std-ref">Anonymous PKINIT</span></a></li>
  147 <li>Constrained delegation</li>
  148 <li>IAKERB                   <a class="reference external" href="https://tools.ietf.org/html/draft-ietf-krb-wg-iakerb-02">https://tools.ietf.org/html/draft-ietf-krb-wg-iakerb-02</a></li>
  149 <li>Heimdal bridge plugin for KDC backend</li>
  150 <li>GSS-API S4U extensions   <a class="reference external" href="https://msdn.microsoft.com/en-us/library/cc246071">https://msdn.microsoft.com/en-us/library/cc246071</a></li>
  151 <li>GSS-API naming extensions                            <span class="target" id="index-5"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc6680.html"><strong>RFC 6680</strong></a></li>
  152 <li>GSS-API extensions for storing delegated credentials <span class="target" id="index-6"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc5588.html"><strong>RFC 5588</strong></a></li>
  153 </ul>
  154 </dd>
  155 <dt>Release 1.9</dt>
  156 <dd><ul class="first last simple">
  157 <li>Advance warning on password expiry</li>
  158 <li>Camellia encryption (CTS-CMAC mode)       <span class="target" id="index-7"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc6803.html"><strong>RFC 6803</strong></a></li>
  159 <li>KDC support for SecurID preauthentication</li>
  160 <li>kadmin over IPv6</li>
  161 <li>Trace logging                             <a class="reference internal" href="admin/troubleshoot.html#trace-logging"><span class="std std-ref">Trace logging</span></a></li>
  162 <li>GSSAPI/KRB5 multi-realm support</li>
  163 <li>Plugin to test password quality           <a class="reference internal" href="plugindev/pwqual.html#pwqual-plugin"><span class="std std-ref">Password quality interface (pwqual)</span></a></li>
  164 <li>Plugin to synchronize password changes    <a class="reference internal" href="plugindev/kadm5_hook.html#kadm5-hook-plugin"><span class="std std-ref">KADM5 hook interface (kadm5_hook)</span></a></li>
  165 <li>Parallel KDC</li>
  166 <li>GSS-API extentions for SASL GS2 bridge    <span class="target" id="index-8"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc5801.html"><strong>RFC 5801</strong></a> <span class="target" id="index-9"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc5587.html"><strong>RFC 5587</strong></a></li>
  167 <li>Purging old keys</li>
  168 <li>Naming extensions for delegation chain</li>
  169 <li>Password expiration API</li>
  170 <li>Windows client support   (build-only)</li>
  171 <li>IPv6 support in iprop</li>
  172 </ul>
  173 </dd>
  174 <dt>Release 1.10</dt>
  175 <dd><ul class="first last simple">
  176 <li>Plugin interface for configuration        <a class="reference internal" href="plugindev/profile.html#profile-plugin"><span class="std std-ref">Configuration interface (profile)</span></a></li>
  177 <li>Credentials for multiple identities       <a class="reference internal" href="plugindev/ccselect.html#ccselect-plugin"><span class="std std-ref">Credential cache selection interface (ccselect)</span></a></li>
  178 </ul>
  179 </dd>
  180 <dt>Release 1.11</dt>
  181 <dd><ul class="first last simple">
  182 <li>Client support for FAST OTP               <span class="target" id="index-10"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc6560.html"><strong>RFC 6560</strong></a></li>
  183 <li>GSS-API extensions for credential locations</li>
  184 <li>Responder mechanism</li>
  185 </ul>
  186 </dd>
  187 <dt>Release 1.12</dt>
  188 <dd><ul class="first last simple">
  189 <li>Plugin to control krb5_aname_to_localname and krb5_kuserok behavior   <a class="reference internal" href="plugindev/localauth.html#localauth-plugin"><span class="std std-ref">Local authorization interface (localauth)</span></a></li>
  190 <li>Plugin to control hostname-to-realm mappings and the default realm    <a class="reference internal" href="plugindev/hostrealm.html#hostrealm-plugin"><span class="std std-ref">Host-to-realm interface (hostrealm)</span></a></li>
  191 <li>GSSAPI extensions for constructing MIC tokens using IOV lists         <a class="reference internal" href="appdev/gssapi.html#gssapi-mic-token"><span class="std std-ref">IOV MIC tokens</span></a></li>
  192 <li>Principal may refer to nonexistent policies <a class="reference external" href="https://k5wiki.kerberos.org/wiki/Projects/Policy_refcount_elimination">Policy Refcount project</a></li>
  193 <li>Support for having no long-term keys for a principal <a class="reference external" href="https://k5wiki.kerberos.org/wiki/Projects/Principals_without_keys">Principals Without Keys project</a></li>
  194 <li>Collection support to the KEYRING credential cache type on Linux <a class="reference internal" href="basic/ccache_def.html#ccache-definition"><span class="std std-ref">Credential cache</span></a></li>
  195 <li>FAST OTP preauthentication module for the KDC which uses RADIUS to validate OTP token values <a class="reference internal" href="admin/otp.html#otp-preauth"><span class="std std-ref">OTP Preauthentication</span></a></li>
  196 <li>Experimental Audit plugin for KDC processing <a class="reference external" href="https://k5wiki.kerberos.org/wiki/Projects/Audit">Audit project</a></li>
  197 </ul>
  198 </dd>
  199 </dl>
  200 <p>Release 1.13</p>
  201 <blockquote>
  202 <div><ul class="simple">
  203 <li>Add support for accessing KDCs via an HTTPS proxy server using
  204 the <a class="reference external" href="https://msdn.microsoft.com/en-us/library/hh553774.aspx">MS-KKDCP</a>
  205 protocol.</li>
  206 <li>Add support for <a class="reference external" href="https://k5wiki.kerberos.org/wiki/Projects/Hierarchical_iprop">hierarchical incremental propagation</a>,
  207 where replicas can act as intermediates between an upstream master
  208 and other downstream replicas.</li>
  209 <li>Add support for configuring GSS mechanisms using
  210 <code class="docutils literal"><span class="pre">/etc/gss/mech.d/*.conf</span></code> files in addition to
  211 <code class="docutils literal"><span class="pre">/etc/gss/mech</span></code>.</li>
  212 <li>Add support to the LDAP KDB module for <a class="reference external" href="https://k5wiki.kerberos.org/wiki/Projects/LDAP_SASL_support">binding to the LDAP
  213 server using SASL</a>.</li>
  214 <li>The KDC listens for TCP connections by default.</li>
  215 <li>Fix a minor key disclosure vulnerability where using the
  216 “keepold” option to the kadmin randkey operation could return the
  217 old keys. <a class="reference external" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5351">[CVE-2014-5351]</a></li>
  218 <li>Add client support for the Kerberos Cache Manager protocol. If
  219 the host is running a Heimdal kcm daemon, caches served by the
  220 daemon can be accessed with the KCM: cache type.</li>
  221 <li>When built on macOS 10.7 and higher, use “KCM:” as the default
  222 cachetype, unless overridden by command-line options or
  223 krb5-config values.</li>
  224 <li>Add support for doing unlocked database dumps for the DB2 KDC
  225 back end, which would allow the KDC and kadmind to continue
  226 accessing the database during lengthy database dumps.</li>
  227 </ul>
  228 </div></blockquote>
  229 <p>Release 1.14</p>
  230 <blockquote>
  231 <div><ul class="simple">
  232 <li>Administrator experience<ul>
  233 <li>Add a new kdb5_util tabdump command to provide reporting-friendly
  234 tabular dump formats (tab-separated or CSV) for the KDC database.
  235 Unlike the normal dump format, each output table has a fixed number
  236 of fields.  Some tables include human-readable forms of data that
  237 are opaque in ordinary dump files.  This format is also suitable for
  238 importing into relational databases for complex queries.</li>
  239 <li>Add support to kadmin and kadmin.local for specifying a single
  240 command line following any global options, where the command
  241 arguments are split by the shell–for example, “kadmin getprinc
  242 principalname”.  Commands issued this way do not prompt for
  243 confirmation or display warning messages, and exit with non-zero
  244 status if the operation fails.</li>
  245 <li>Accept the same principal flag names in kadmin as we do for the
  246 default_principal_flags kdc.conf variable, and vice versa.  Also
  247 accept flag specifiers in the form that kadmin prints, as well as
  248 hexadecimal numbers.</li>
  249 <li>Remove the triple-DES and RC4 encryption types from the default
  250 value of supported_enctypes, which determines the default key and
  251 salt types for new password-derived keys.  By default, keys will
  252 only created only for AES128 and AES256.  This mitigates some types
  253 of password guessing attacks.</li>
  254 <li>Add support for directory names in the KRB5_CONFIG and
  255 KRB5_KDC_PROFILE environment variables.</li>
  256 <li>Add support for authentication indicators, which are ticket
  257 annotations to indicate the strength of the initial authentication.
  258 Add support for the “require_auth” string attribute, which can be
  259 set on server principal entries to require an indicator when
  260 authenticating to the server.</li>
  261 <li>Add support for key version numbers larger than 255 in keytab files,
  262 and for version numbers up to 65535 in KDC databases.</li>
  263 <li>Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC
  264 during pre-authentication, corresponding to the client’s most
  265 preferred encryption type.</li>
  266 <li>Add support for server name identification (SNI) when proxying KDC
  267 requests over HTTPS.</li>
  268 <li>Add support for the err_fmt profile parameter, which can be used to
  269 generate custom-formatted error messages.</li>
  270 </ul>
  271 </li>
  272 <li>Developer experience:<ul>
  273 <li>Change gss_acquire_cred_with_password() to acquire credentials into
  274 a private memory credential cache.  Applications can use
  275 gss_store_cred() to make the resulting credentials visible to other
  276 processes.</li>
  277 <li>Change gss_acquire_cred() and SPNEGO not to acquire credentials for
  278 IAKERB or for non-standard variants of the krb5 mechanism OID unless
  279 explicitly requested.  (SPNEGO will still accept the Microsoft
  280 variant of the krb5 mechanism OID during negotiation.)</li>
  281 <li>Change gss_accept_sec_context() not to accept tokens for IAKERB or
  282 for non-standard variants of the krb5 mechanism OID unless an
  283 acceptor credential is acquired for those mechanisms.</li>
  284 <li>Change gss_acquire_cred() to immediately resolve credentials if the
  285 time_rec parameter is not NULL, so that a correct expiration time
  286 can be returned.  Normally credential resolution is delayed until
  287 the target name is known.</li>
  288 <li>Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs,
  289 which can be used by plugin modules or applications to add prefixes
  290 to existing detailed error messages.</li>
  291 <li>Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which
  292 implement the RFC 6113 PRF+ operation and key derivation using PRF+.</li>
  293 <li>Add support for pre-authentication mechanisms which use multiple
  294 round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error
  295 code.  Add get_cookie() and set_cookie() callbacks to the kdcpreauth
  296 interface; these callbacks can be used to save marshalled state
  297 information in an encrypted cookie for the next request.</li>
  298 <li>Add a client_key() callback to the kdcpreauth interface to retrieve
  299 the chosen client key, corresponding to the ETYPE-INFO2 entry sent
  300 by the KDC.</li>
  301 <li>Add an add_auth_indicator() callback to the kdcpreauth interface,
  302 allowing pre-authentication modules to assert authentication
  303 indicators.</li>
  304 <li>Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to
  305 suppress sending the confidentiality and integrity flags in GSS
  306 initiator tokens unless they are requested by the caller.  These
  307 flags control the negotiated SASL security layer for the Microsoft
  308 GSS-SPNEGO SASL mechanism.</li>
  309 <li>Make the FILE credential cache implementation less prone to
  310 corruption issues in multi-threaded programs, especially on
  311 platforms with support for open file description locks.</li>
  312 </ul>
  313 </li>
  314 <li>Performance:<ul>
  315 <li>On replica KDCs, poll the master KDC immediately after processing
  316 a full resync, and do not require two full resyncs after the
  317 master KDC’s log file is reset.</li>
  318 </ul>
  319 </li>
  320 </ul>
  321 </div></blockquote>
  322 <p>Release 1.15</p>
  323 <ul class="simple">
  324 <li>Administrator experience:<ul>
  325 <li>Add support to kadmin for remote extraction of current keys
  326 without changing them (requires a special kadmin permission that
  327 is excluded from the wildcard permission), with the exception of
  328 highly protected keys.</li>
  329 <li>Add a lockdown_keys principal attribute to prevent retrieval of
  330 the principal’s keys (old or new) via the kadmin protocol.  In
  331 newly created databases, this attribute is set on the krbtgt and
  332 kadmin principals.</li>
  333 <li>Restore recursive dump capability for DB2 back end, so sites can
  334 more easily recover from database corruption resulting from power
  335 failure events.</li>
  336 <li>Add DNS auto-discovery of KDC and kpasswd servers from URI
  337 records, in addition to SRV records.  URI records can convey TCP
  338 and UDP servers and master KDC status in a single DNS lookup, and
  339 can also point to HTTPS proxy servers.</li>
  340 <li>Add support for password history to the LDAP back end.</li>
  341 <li>Add support for principal renaming to the LDAP back end.</li>
  342 <li>Use the getrandom system call on supported Linux kernels to avoid
  343 blocking problems when getting entropy from the operating system.</li>
  344 </ul>
  345 </li>
  346 <li>Code quality:<ul>
  347 <li>Clean up numerous compilation warnings.</li>
  348 <li>Remove various infrequently built modules, including some preauth
  349 modules that were not built by default.</li>
  350 </ul>
  351 </li>
  352 <li>Developer experience:<ul>
  353 <li>Add support for building with OpenSSL 1.1.</li>
  354 <li>Use SHA-256 instead of MD5 for (non-cryptographic) hashing of
  355 authenticators in the replay cache.  This helps sites that must
  356 build with FIPS 140 conformant libraries that lack MD5.</li>
  357 </ul>
  358 </li>
  359 <li>Protocol evolution:<ul>
  360 <li>Add support for the AES-SHA2 enctypes, which allows sites to
  361 conform to Suite B crypto requirements.</li>
  362 </ul>
  363 </li>
  364 </ul>
  365 <p>Release 1.16</p>
  366 <ul class="simple">
  367 <li>Administrator experience:<ul>
  368 <li>The KDC can match PKINIT client certificates against the
  369 “pkinit_cert_match” string attribute on the client principal
  370 entry, using the same syntax as the existing “pkinit_cert_match”
  371 profile option.</li>
  372 <li>The ktutil addent command supports the “-k 0” option to ignore the
  373 key version, and the “-s” option to use a non-default salt string.</li>
  374 <li>kpropd supports a –pid-file option to write a pid file at
  375 startup, when it is run in standalone mode.</li>
  376 <li>The “encrypted_challenge_indicator” realm option can be used to
  377 attach an authentication indicator to tickets obtained using FAST
  378 encrypted challenge pre-authentication.</li>
  379 <li>Localization support can be disabled at build time with the
  380 –disable-nls configure option.</li>
  381 </ul>
  382 </li>
  383 <li>Developer experience:<ul>
  384 <li>The kdcpolicy pluggable interface allows modules control whether
  385 tickets are issued by the KDC.</li>
  386 <li>The kadm5_auth pluggable interface allows modules to control
  387 whether kadmind grants access to a kadmin request.</li>
  388 <li>The certauth pluggable interface allows modules to control which
  389 PKINIT client certificates can authenticate to which client
  390 principals.</li>
  391 <li>KDB modules can use the client and KDC interface IP addresses to
  392 determine whether to allow an AS request.</li>
  393 <li>GSS applications can query the bit strength of a krb5 GSS context
  394 using the GSS_C_SEC_CONTEXT_SASL_SSF OID with
  395 gss_inquire_sec_context_by_oid().</li>
  396 <li>GSS applications can query the impersonator name of a krb5 GSS
  397 credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with
  398 gss_inquire_cred_by_oid().</li>
  399 <li>kdcpreauth modules can query the KDC for the canonicalized
  400 requested client principal name, or match a principal name against
  401 the requested client principal name with canonicalization.</li>
  402 </ul>
  403 </li>
  404 <li>Protocol evolution:<ul>
  405 <li>The client library will continue to try pre-authentication
  406 mechanisms after most failure conditions.</li>
  407 <li>The KDC will issue trivially renewable tickets (where the
  408 renewable lifetime is equal to or less than the ticket lifetime)
  409 if requested by the client, to be friendlier to scripts.</li>
  410 <li>The client library will use a random nonce for TGS requests
  411 instead of the current system time.</li>
  412 <li>For the RC4 string-to-key or PAC operations, UTF-16 is supported
  413 (previously only UCS-2 was supported).</li>
  414 <li>When matching PKINIT client certificates, UPN SANs will be matched
  415 correctly as UPNs, with canonicalization.</li>
  416 </ul>
  417 </li>
  418 <li>User experience:<ul>
  419 <li>Dates after the year 2038 are accepted (provided that the platform
  420 time facilities support them), through the year 2106.</li>
  421 <li>Automatic credential cache selection based on the client realm
  422 will take into account the fallback realm and the service
  423 hostname.</li>
  424 <li>Referral and alternate cross-realm TGTs will not be cached,
  425 avoiding some scenarios where they can be added to the credential
  426 cache multiple times.</li>
  427 <li>A German translation has been added.</li>
  428 </ul>
  429 </li>
  430 <li>Code quality:<ul>
  431 <li>The build is warning-clean under clang with the configured warning
  432 options.</li>
  433 <li>The automated test suite runs cleanly under AddressSanitizer.</li>
  434 </ul>
  435 </li>
  436 </ul>
  437 <p>Release 1.17</p>
  438 <ul class="simple">
  439 <li>Administrator experience:<ul>
  440 <li>A new Kerberos database module using the Lightning Memory-Mapped
  441 Database library (LMDB) has been added.  The LMDB KDB module
  442 should be more performant and more robust than the DB2 module, and
  443 may become the default module for new databases in a future
  444 release.</li>
  445 <li>“kdb5_util dump” will no longer dump policy entries when specific
  446 principal names are requested.</li>
  447 </ul>
  448 </li>
  449 <li>Developer experience:<ul>
  450 <li>The new krb5_get_etype_info() API can be used to retrieve enctype,
  451 salt, and string-to-key parameters from the KDC for a client
  452 principal.</li>
  453 <li>The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
  454 principal names to be used with GSS-API functions.</li>
  455 <li>KDC and kadmind modules which call com_err() will now write to the
  456 log file in a format more consistent with other log messages.</li>
  457 <li>Programs which use large numbers of memory credential caches
  458 should perform better.</li>
  459 </ul>
  460 </li>
  461 <li>Protocol evolution:<ul>
  462 <li>The SPAKE pre-authentication mechanism is now supported.  This
  463 mechanism protects against password dictionary attacks without
  464 requiring any additional infrastructure such as certificates.
  465 SPAKE is enabled by default on clients, but must be manually
  466 enabled on the KDC for this release.</li>
  467 <li>PKINIT freshness tokens are now supported.  Freshness tokens can
  468 protect against scenarios where an attacker uses temporary access
  469 to a smart card to generate authentication requests for the
  470 future.</li>
  471 <li>Password change operations now prefer TCP over UDP, to avoid
  472 spurious error messages about replays when a response packet is
  473 dropped.</li>
  474 <li>The KDC now supports cross-realm S4U2Self requests when used with
  475 a third-party KDB module such as Samba’s.  The client code for
  476 cross-realm S4U2Self requests is also now more robust.</li>
  477 </ul>
  478 </li>
  479 <li>User experience:<ul>
  480 <li>The new ktutil addent -f flag can be used to fetch salt
  481 information from the KDC for password-based keys.</li>
  482 <li>The new kdestroy -p option can be used to destroy a credential
  483 cache within a collection by client principal name.</li>
  484 <li>The Kerberos man page has been restored, and documents the
  485 environment variables that affect programs using the Kerberos
  486 library.</li>
  487 </ul>
  488 </li>
  489 <li>Code quality:<ul>
  490 <li>Python test scripts now use Python 3.</li>
  491 <li>Python test scripts now display markers in verbose output, making
  492 it easier to find where a failure occurred within the scripts.</li>
  493 <li>The Windows build system has been simplified and updated to work
  494 with more recent versions of Visual Studio.  A large volume of
  495 unused Windows-specific code has been removed.  Visual Studio 2013
  496 or later is now required.</li>
  497 </ul>
  498 </li>
  499 </ul>
  500 <p>Release 1.18</p>
  501 <ul class="simple">
  502 <li>Administrator experience:<ul>
  503 <li>Remove support for single-DES encryption types.</li>
  504 <li>Change the replay cache format to be more efficient and robust.
  505 Replay cache filenames using the new format end with <code class="docutils literal"><span class="pre">.rcache2</span></code>
  506 by default.</li>
  507 <li>setuid programs will automatically ignore environment variables
  508 that normally affect krb5 API functions, even if the caller does
  509 not use krb5_init_secure_context().</li>
  510 <li>Add an <code class="docutils literal"><span class="pre">enforce_ok_as_delegate</span></code> krb5.conf relation to disable
  511 credential forwarding during GSSAPI authentication unless the KDC
  512 sets the ok-as-delegate bit in the service ticket.</li>
  513 <li>Use the <code class="docutils literal"><span class="pre">permitted_enctypes</span></code> krb5.conf setting as the default
  514 value for <code class="docutils literal"><span class="pre">default_tkt_enctypes</span></code> and <code class="docutils literal"><span class="pre">default_tgs_enctypes</span></code>.</li>
  515 </ul>
  516 </li>
  517 <li>Developer experience:<ul>
  518 <li>Implement krb5_cc_remove_cred() for all credential cache types.</li>
  519 <li>Add the krb5_pac_get_client_info() API to get the client account
  520 name from a PAC.</li>
  521 </ul>
  522 </li>
  523 <li>Protocol evolution:<ul>
  524 <li>Add KDC support for S4U2Self requests where the user is identified
  525 by X.509 certificate.  (Requires support for certificate lookup
  526 from a third-party KDB module.)</li>
  527 <li>Remove support for an old (“draft 9”) variant of PKINIT.</li>
  528 <li>Add support for Microsoft NegoEx.  (Requires one or more
  529 third-party GSS modules implementing NegoEx mechanisms.)</li>
  530 <li>Honor the transited-policy-checked ticket flag on application
  531 servers, eliminating the requirement to configure capaths on
  532 servers in some scenarios.</li>
  533 </ul>
  534 </li>
  535 <li>User experience:<ul>
  536 <li>Add support for <code class="docutils literal"><span class="pre">dns_canonicalize_hostname=fallback</span></code>, causing
  537 host-based principal names to be tried first without DNS
  538 canonicalization, and again with DNS canonicalization if the
  539 un-canonicalized server is not found.</li>
  540 <li>Expand single-component hostnames in host-based principal names
  541 when DNS canonicalization is not used, adding the system’s first
  542 DNS search path as a suffix.  Add a <code class="docutils literal"><span class="pre">qualify_shortname</span></code>
  543 krb5.conf relation to override this suffix or disable expansion.</li>
  544 </ul>
  545 </li>
  546 <li>Code quality:<ul>
  547 <li>The libkrb5 serialization code (used to export and import krb5 GSS
  548 security contexts) has been simplified and made type-safe.</li>
  549 <li>The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
  550 messages has been revised to conform to current coding practices.</li>
  551 <li>The test suite has been modified to work with macOS System
  552 Integrity Protection enabled.</li>
  553 <li>The test suite incorporates soft-pkcs11 so that PKINIT PKCS11
  554 support can always be tested.</li>
  555 </ul>
  556 </li>
  557 </ul>
  558 <p><cite>Pre-authentication mechanisms</cite></p>
  559 <ul class="simple">
  560 <li>PW-SALT                                         <span class="target" id="index-11"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4120.html#section-5.2.7.3"><strong>RFC 4120#section-5.2.7.3</strong></a></li>
  561 <li>ENC-TIMESTAMP                                   <span class="target" id="index-12"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4120.html#section-5.2.7.2"><strong>RFC 4120#section-5.2.7.2</strong></a></li>
  562 <li>SAM-2</li>
  563 <li>FAST negotiation framework   (release 1.8)      <span class="target" id="index-13"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc6113.html"><strong>RFC 6113</strong></a></li>
  564 <li>PKINIT with FAST on client   (release 1.10)     <span class="target" id="index-14"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc6113.html"><strong>RFC 6113</strong></a></li>
  565 <li>PKINIT                                          <span class="target" id="index-15"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a></li>
  566 <li>FX-COOKIE                                       <span class="target" id="index-16"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc6113.html#section-5.2"><strong>RFC 6113#section-5.2</strong></a></li>
  567 <li>S4U-X509-USER                (release 1.8)      <a class="reference external" href="https://msdn.microsoft.com/en-us/library/cc246091">https://msdn.microsoft.com/en-us/library/cc246091</a></li>
  568 <li>OTP                          (release 1.12)     <a class="reference internal" href="admin/otp.html#otp-preauth"><span class="std std-ref">OTP Preauthentication</span></a></li>
  569 <li>SPAKE                        (release 1.17)     <a class="reference internal" href="admin/spake.html#spake"><span class="std std-ref">SPAKE Preauthentication</span></a></li>
  570 </ul>
  571 <p><cite>PRNG</cite></p>
  572 <ul class="simple">
  573 <li>modularity       (release 1.9)</li>
  574 <li>Yarrow PRNG      (release &lt; 1.10)</li>
  575 <li>Fortuna PRNG     (release 1.9)       <a class="reference external" href="https://www.schneier.com/book-practical.html">https://www.schneier.com/book-practical.html</a></li>
  576 <li>OS PRNG          (release 1.10)      OS’s native PRNG</li>
  577 </ul>
  578 </div>
  579 </div>
  580 
  581 
  582           </div>
  583         </div>
  584       </div>
  585         </div>
  586         <div class="sidebar">
  587     <h2>On this page</h2>
  588     <ul>
  589 <li><a class="reference internal" href="#">MIT Kerberos features</a><ul>
  590 <li><a class="reference internal" href="#quick-facts">Quick facts</a></li>
  591 <li><a class="reference internal" href="#interoperability">Interoperability</a></li>
  592 <li><a class="reference internal" href="#feature-list">Feature list</a></li>
  593 </ul>
  594 </li>
  595 </ul>
  596 
  597     <br/>
  598     <h2>Table of contents</h2>
  599     <ul class="current">
  600 <li class="toctree-l1"><a class="reference internal" href="user/index.html">For users</a></li>
  601 <li class="toctree-l1"><a class="reference internal" href="admin/index.html">For administrators</a></li>
  602 <li class="toctree-l1"><a class="reference internal" href="appdev/index.html">For application developers</a></li>
  603 <li class="toctree-l1"><a class="reference internal" href="plugindev/index.html">For plugin module developers</a></li>
  604 <li class="toctree-l1"><a class="reference internal" href="build/index.html">Building Kerberos V5</a></li>
  605 <li class="toctree-l1"><a class="reference internal" href="basic/index.html">Kerberos V5 concepts</a></li>
  606 <li class="toctree-l1"><a class="reference internal" href="formats/index.html">Protocols and file formats</a></li>
  607 <li class="toctree-l1 current"><a class="current reference internal" href="#">MIT Kerberos features</a></li>
  608 <li class="toctree-l1"><a class="reference internal" href="build_this.html">How to build this documentation from the source</a></li>
  609 <li class="toctree-l1"><a class="reference internal" href="about.html">Contributing to the MIT Kerberos Documentation</a></li>
  610 <li class="toctree-l1"><a class="reference internal" href="resources.html">Resources</a></li>
  611 </ul>
  612 
  613     <br/>
  614     <h4><a href="index.html">Full Table of Contents</a></h4>
  615     <h4>Search</h4>
  616     <form class="search" action="search.html" method="get">
  617       <input type="text" name="q" size="18" />
  618       <input type="submit" value="Go" />
  619       <input type="hidden" name="check_keywords" value="yes" />
  620       <input type="hidden" name="area" value="default" />
  621     </form>
  622         </div>
  623         <div class="clearer"></div>
  624       </div>
  625     </div>
  626 
  627     <div class="footer-wrapper">
  628         <div class="footer" >
  629             <div class="right" ><i>Release: 1.18</i><br />
  630                 &copy; <a href="copyright.html">Copyright</a> 1985-2019, MIT.
  631             </div>
  632             <div class="left">
  633                 
  634         <a href="index.html" title="Full Table of Contents"
  635             >Contents</a> |
  636         <a href="formats/freshness_token.html" title="PKINIT freshness tokens"
  637             >previous</a> |
  638         <a href="mitK5license.html" title="MIT Kerberos License information"
  639             >next</a> |
  640         <a href="genindex.html" title="General Index"
  641             >index</a> |
  642         <a href="search.html" title="Enter search criteria"
  643             >Search</a> |
  644     <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__MIT Kerberos features">feedback</a>
  645             </div>
  646         </div>
  647     </div>
  648 
  649   </body>
  650 </html>