MIT Kerberos features

http://web.mit.edu/kerberos

Quick facts

License - MIT Kerberos License information

Releases:

• Latest stable: http://web.mit.edu/kerberos/krb5-1.14/
• Supported: http://web.mit.edu/kerberos/krb5-1.13/
• Release cycle: 9 – 12 months

Supported platforms / OS distributions:

• Windows (KfW 4.0): Windows 7, Vista, XP
• Solaris: SPARC, x86_64/x86
• GNU/Linux: Debian x86_64/x86, Ubuntu x86_64/x86, RedHat x86_64/x86
• BSD: NetBSD x86_64/x86

Crypto backends:

• builtin - MIT Kerberos native crypto library
• OpenSSL (1.0+) - http://www.openssl.org
• NSS (3.12.9+) - http://www.mozilla.org/projects/security/pki/nss

Database backends: LDAP, DB2

krb4 support: Kerberos 5 release < 1.8

DES support: configurable (See Retiring DES)

Interoperability

Microsoft

Starting from release 1.7:

• Follow client principal referrals in the client library when obtaining initial tickets.
• KDC can issue realm referrals for service principals based on domain names.
• Extensions supporting DCE RPC, including three-leg GSS context setup and unencapsulated GSS tokens inside SPNEGO.
• Microsoft GSS_WrapEX, implemented using the gss_iov API, which is similar to the equivalent SSPI functionality. This is needed to support some instances of DCE RPC.
• NTLM recognition support in GSS-API, to facilitate dropping in an NTLM implementation for improved compatibility with older releases of Microsoft Windows.
• KDC support for principal aliases, if the back end supports them. Currently, only the LDAP back end supports aliases.
• Support Microsoft set/change password (RFC 3244) protocol in kadmind.
• Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which allows a GSS application to request credential delegation only if permitted by KDC policy.

Starting from release 1.8:

• Microsoft Services for User (S4U) compatibility

Heimdal

• Support for reading Heimdal database starting from release 1.8

Feature list

For more information on the specific project see http://k5wiki.kerberos.org/wiki/Projects

Release 1.7

• Credentials delegation RFC 5896
• Cross-realm authentication and referrals RFC 6806
• Master key migration
• PKINIT RFC 4556 PKINIT configuration

Release 1.8

• Anonymous PKINIT RFC 6112 Anonymous PKINIT
• Constrained delegation
• IAKERB http://tools.ietf.org/html/draft-ietf-krb-wg-iakerb-02
• Heimdal bridge plugin for KDC backend
• GSS-API S4U extensions http://msdn.microsoft.com/en-us/library/cc246071
• GSS-API naming extensions RFC 6680
• GSS-API extensions for storing delegated credentials RFC 5588

Release 1.9

• Advance warning on password expiry
• Camellia encryption (CTS-CMAC mode) RFC 6803
• KDC support for SecurID preauthentication
• kadmin over IPv6
• Trace logging Trace logging
• GSSAPI/KRB5 multi-realm support
• Plugin to test password quality Password quality interface (pwqual)
• Plugin to synchronize password changes KADM5 hook interface (kadm5_hook)
• Parallel KDC
• GSS-API extentions for SASL GS2 bridge RFC 5801 RFC 5587
• Purging old keys
• Naming extensions for delegation chain
• Password expiration API
• Windows client support (build-only)
• IPv6 support in iprop

Release 1.10

• Plugin interface for configuration Configuration interface (profile)
• Credentials for multiple identities Credential cache selection interface (ccselect)

Release 1.11

• Client support for FAST OTP RFC 6560
• GSS-API extensions for credential locations
• Responder mechanism

Release 1.12

• Plugin to control krb5_aname_to_localname and krb5_kuserok behavior Local authorization interface (localauth)
• Plugin to control hostname-to-realm mappings and the default realm Host-to-realm interface (hostrealm)
• GSSAPI extensions for constructing MIC tokens using IOV lists IOV MIC tokens
• Principal may refer to nonexistent policies Policy Refcount project
• Support for having no long-term keys for a principal Principals Without Keys project
• Collection support to the KEYRING credential cache type on Linux Credential cache
• FAST OTP preauthentication module for the KDC which uses RADIUS to validate OTP token values OTP Preauthentication
• Experimental Audit plugin for KDC processing Audit project

Pre-authentication mechanisms

• PW-SALT RFC 4120
• ENC-TIMESTAMP RFC 4120
• SAM-2
• FAST negotiation framework (release 1.8) RFC 6113
• PKINIT with FAST on client (release 1.10) RFC 6113
• PKINIT RFC 4556
• FX-COOKIE RFC 6113
• S4U-X509-USER (release 1.8) http://msdn.microsoft.com/en-us/library/cc246091
• OTP (release 1.12) OTP Preauthentication

PRNG

• modularity (release 1.9)
• Yarrow PRNG (release < 1.10)
• Fortuna PRNG (release 1.9) http://www.schneier.com/book-practical.html
• OS PRNG (release 1.10) OS’s native PRNG