<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>MIT Kerberos features — MIT Kerberos Documentation</title> <link rel="stylesheet" href="_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="_static/kerb.css" type="text/css" /> <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: './', VERSION: '1.12.2', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true }; </script> <script type="text/javascript" src="_static/jquery.js"></script> <script type="text/javascript" src="_static/underscore.js"></script> <script type="text/javascript" src="_static/doctools.js"></script> <link rel="author" title="About these documents" href="about.html" /> <link rel="copyright" title="Copyright" href="copyright.html" /> <link rel="top" title="MIT Kerberos Documentation" href="index.html" /> <link rel="next" title="MIT Kerberos License information" href="mitK5license.html" /> <link rel="prev" title="Supported date and time formats" href="basic/date_format.html" /> </head> <body> <div class="header-wrapper"> <div class="header"> <h1><a href="index.html">MIT Kerberos Documentation</a></h1> <div class="rel"> <a href="index.html" title="Full Table of Contents" accesskey="C">Contents</a> | <a href="basic/date_format.html" title="Supported date and time formats" accesskey="P">previous</a> | <a href="mitK5license.html" title="MIT Kerberos License information" accesskey="N">next</a> | <a href="genindex.html" title="General Index" accesskey="I">index</a> | <a href="search.html" title="Enter search criteria" accesskey="S">Search</a> | <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__MIT Kerberos features">feedback</a> </div> </div> </div> <div class="content-wrapper"> <div class="content"> <div class="document"> <div class="documentwrapper"> <div class="bodywrapper"> <div class="body"> <div class="toctree-wrapper compound"> </div> <div class="section" id="mit-kerberos-features"> <span id="mitk5features"></span><h1>MIT Kerberos features<a class="headerlink" href="#mit-kerberos-features" title="Permalink to this headline">¶</a></h1> <p><a class="reference external" href="http://web.mit.edu/kerberos">http://web.mit.edu/kerberos</a></p> <div class="section" id="quick-facts"> <h2>Quick facts<a class="headerlink" href="#quick-facts" title="Permalink to this headline">¶</a></h2> <p>License - <a class="reference internal" href="mitK5license.html#mitk5license"><em>MIT Kerberos License information</em></a></p> <dl class="docutils"> <dt>Releases:</dt> <dd><ul class="first last simple"> <li>Latest stable: <a class="reference external" href="http://web.mit.edu/kerberos/krb5-1.11/">http://web.mit.edu/kerberos/krb5-1.11/</a></li> <li>Supported: <a class="reference external" href="http://web.mit.edu/kerberos/krb5-1.10/">http://web.mit.edu/kerberos/krb5-1.10/</a></li> <li>Release cycle: 9 – 12 months</li> </ul> </dd> <dt>Supported platforms / OS distributions:</dt> <dd><ul class="first last simple"> <li>Windows (KfW 4.0): Windows 7, Vista, XP</li> <li>Solaris: SPARC, x86_64/x86</li> <li>GNU/Linux: Debian x86_64/x86, Ubuntu x86_64/x86, RedHat x86_64/x86</li> <li>BSD: NetBSD x86_64/x86</li> </ul> </dd> <dt>Crypto backends:</dt> <dd><ul class="first last simple"> <li>builtin - MIT Kerberos native crypto library</li> <li>OpenSSL (1.0+) - <a class="reference external" href="http://www.openssl.org">http://www.openssl.org</a></li> <li>NSS (3.12.9+) - <a class="reference external" href="http://www.mozilla.org/projects/security/pki/nss">http://www.mozilla.org/projects/security/pki/nss</a></li> </ul> </dd> </dl> <p>Database backends: LDAP, DB2</p> <p>krb4 support: Kerberos 5 release < 1.8</p> <p>DES support: configurable (See <a class="reference internal" href="admin/advanced/retiring-des.html#retiring-des"><em>Retiring DES</em></a>)</p> </div> <div class="section" id="interoperability"> <h2>Interoperability<a class="headerlink" href="#interoperability" title="Permalink to this headline">¶</a></h2> <p><cite>Microsoft</cite></p> <p>Starting from release 1.7:</p> <ul class="simple"> <li>Follow client principal referrals in the client library when obtaining initial tickets.</li> <li>KDC can issue realm referrals for service principals based on domain names.</li> <li>Extensions supporting DCE RPC, including three-leg GSS context setup and unencapsulated GSS tokens inside SPNEGO.</li> <li>Microsoft GSS_WrapEX, implemented using the gss_iov API, which is similar to the equivalent SSPI functionality. This is needed to support some instances of DCE RPC.</li> <li>NTLM recognition support in GSS-API, to facilitate dropping in an NTLM implementation for improved compatibility with older releases of Microsoft Windows.</li> <li>KDC support for principal aliases, if the back end supports them. Currently, only the LDAP back end supports aliases.</li> <li>Support Microsoft set/change password (<span class="target" id="index-0"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc3244.html"><strong>RFC 3244</strong></a>) protocol in kadmind.</li> <li>Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which allows a GSS application to request credential delegation only if permitted by KDC policy.</li> </ul> <p>Starting from release 1.8:</p> <ul class="simple"> <li>Microsoft Services for User (S4U) compatibility</li> </ul> <p><cite>Heimdal</cite></p> <ul class="simple"> <li>Support for reading Heimdal database starting from release 1.8</li> </ul> </div> <div class="section" id="feature-list"> <h2>Feature list<a class="headerlink" href="#feature-list" title="Permalink to this headline">¶</a></h2> <p>For more information on the specific project see <a class="reference external" href="http://k5wiki.kerberos.org/wiki/Projects">http://k5wiki.kerberos.org/wiki/Projects</a></p> <dl class="docutils"> <dt>Release 1.7</dt> <dd><ul class="first last simple"> <li>Credentials delegation <span class="target" id="index-1"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc5896.html"><strong>RFC 5896</strong></a></li> <li>Cross-realm authentication and referrals <span class="target" id="index-2"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc6806.html"><strong>RFC 6806</strong></a></li> <li>Master key migration</li> <li>PKINIT <span class="target" id="index-3"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a> <a class="reference internal" href="admin/pkinit.html#pkinit"><em>PKINIT configuration</em></a></li> </ul> </dd> <dt>Release 1.8</dt> <dd><ul class="first last simple"> <li>Anonymous PKINIT <span class="target" id="index-4"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc6112.html"><strong>RFC 6112</strong></a> <a class="reference internal" href="admin/pkinit.html#anonymous-pkinit"><em>Anonymous PKINIT</em></a></li> <li>Constrained delegation</li> <li>IAKERB <a class="reference external" href="http://tools.ietf.org/html/draft-ietf-krb-wg-iakerb-02">http://tools.ietf.org/html/draft-ietf-krb-wg-iakerb-02</a></li> <li>Heimdal bridge plugin for KDC backend</li> <li>GSS-API S4U extensions <a class="reference external" href="http://msdn.microsoft.com/en-us/library/cc246071">http://msdn.microsoft.com/en-us/library/cc246071</a></li> <li>GSS-API naming extensions <span class="target" id="index-5"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc6680.html"><strong>RFC 6680</strong></a></li> <li>GSS-API extensions for storing delegated credentials <span class="target" id="index-6"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc5588.html"><strong>RFC 5588</strong></a></li> </ul> </dd> <dt>Release 1.9</dt> <dd><ul class="first last simple"> <li>Advance warning on password expiry</li> <li>Camellia encryption (CTS-CMAC mode) <span class="target" id="index-7"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc6803.html"><strong>RFC 6803</strong></a></li> <li>KDC support for SecurID preauthentication</li> <li>kadmin over IPv6</li> <li>Trace logging <a class="reference internal" href="admin/troubleshoot.html#trace-logging"><em>Trace logging</em></a></li> <li>GSSAPI/KRB5 multi-realm support</li> <li>Plugin to test password quality <a class="reference internal" href="plugindev/pwqual.html#pwqual-plugin"><em>Password quality interface (pwqual)</em></a></li> <li>Plugin to synchronize password changes <a class="reference internal" href="plugindev/kadm5_hook.html#kadm5-hook-plugin"><em>KADM5 hook interface (kadm5_hook)</em></a></li> <li>Parallel KDC</li> <li>GSS-API extentions for SASL GS2 bridge <span class="target" id="index-8"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc5801.html"><strong>RFC 5801</strong></a> <span class="target" id="index-9"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc5587.html"><strong>RFC 5587</strong></a></li> <li>Purging old keys</li> <li>Naming extensions for delegation chain</li> <li>Password expiration API</li> <li>Windows client support (build-only)</li> <li>IPv6 support in iprop</li> </ul> </dd> <dt>Release 1.10</dt> <dd><ul class="first last simple"> <li>Plugin interface for configuration <a class="reference internal" href="plugindev/profile.html#profile-plugin"><em>Configuration interface (profile)</em></a></li> <li>Credentials for multiple identities <a class="reference internal" href="plugindev/ccselect.html#ccselect-plugin"><em>Credential cache selection interface (ccselect)</em></a></li> </ul> </dd> <dt>Release 1.11</dt> <dd><ul class="first last simple"> <li>Client support for FAST OTP <span class="target" id="index-10"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc6560.html"><strong>RFC 6560</strong></a></li> <li>GSS-API extensions for credential locations</li> <li>Responder mechanism</li> </ul> </dd> </dl> <p><cite>Pre-authentication mechanisms</cite></p> <ul class="simple"> <li>PW-SALT <span class="target" id="index-11"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4120.html#section-5.2.7.3"><strong>RFC 4120</strong></a></li> <li>ENC-TIMESTAMP <span class="target" id="index-12"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4120.html#section-5.2.7.2"><strong>RFC 4120</strong></a></li> <li>SAM-2</li> <li>FAST negotiation framework (release 1.8) <span class="target" id="index-13"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc6113.html"><strong>RFC 6113</strong></a></li> <li>PKINIT with FAST on client (release 1.10) <span class="target" id="index-14"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc6113.html"><strong>RFC 6113</strong></a></li> <li>PKINIT <span class="target" id="index-15"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a></li> <li>FX-COOKIE <span class="target" id="index-16"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc6113.html#section-5.2"><strong>RFC 6113</strong></a></li> <li>S4U-X509-USER (release 1.8) <a class="reference external" href="http://msdn.microsoft.com/en-us/library/cc246091">http://msdn.microsoft.com/en-us/library/cc246091</a></li> </ul> <p><cite>PRNG</cite></p> <ul class="simple"> <li>modularity (release 1.9)</li> <li>Yarrow PRNG (release < 1.10)</li> <li>Fortuna PRNG (release 1.9) <a class="reference external" href="http://www.schneier.com/book-practical.html">http://www.schneier.com/book-practical.html</a></li> <li>OS PRNG (release 1.10) OS’s native PRNG</li> </ul> </div> </div> </div> </div> </div> </div> <div class="sidebar"> <h2>On this page</h2> <ul> <li><a class="reference internal" href="#">MIT Kerberos features</a><ul> <li><a class="reference internal" href="#quick-facts">Quick facts</a></li> <li><a class="reference internal" href="#interoperability">Interoperability</a></li> <li><a class="reference internal" href="#feature-list">Feature list</a></li> </ul> </li> </ul> <br/> <h2>Table of contents</h2> <ul class="current"> <li class="toctree-l1"><a class="reference internal" href="user/index.html">For users</a></li> <li class="toctree-l1"><a class="reference internal" href="admin/index.html">For administrators</a></li> <li class="toctree-l1"><a class="reference internal" href="appdev/index.html">For application developers</a></li> <li class="toctree-l1"><a class="reference internal" href="plugindev/index.html">For plugin module developers</a></li> <li class="toctree-l1"><a class="reference internal" href="build/index.html">Building Kerberos V5</a></li> <li class="toctree-l1"><a class="reference internal" href="basic/index.html">Kerberos V5 concepts</a></li> <li class="toctree-l1 current"><a class="current reference internal" href="">MIT Kerberos features</a><ul class="simple"> </ul> </li> <li class="toctree-l1"><a class="reference internal" href="build_this.html">How to build this documentation from the source</a></li> <li class="toctree-l1"><a class="reference internal" href="about.html">Contributing to the MIT Kerberos Documentation</a></li> <li class="toctree-l1"><a class="reference internal" href="resources.html">Resources</a></li> </ul> <br/> <h4><a href="index.html">Full Table of Contents</a></h4> <h4>Search</h4> <form class="search" action="search.html" method="get"> <input type="text" name="q" size="18" /> <input type="submit" value="Go" /> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> </div> <div class="clearer"></div> </div> </div> <div class="footer-wrapper"> <div class="footer" > <div class="right" ><i>Release: 1.12.2</i><br /> © <a href="copyright.html">Copyright</a> 1985-2014, MIT. </div> <div class="left"> <a href="index.html" title="Full Table of Contents" >Contents</a> | <a href="basic/date_format.html" title="Supported date and time formats" >previous</a> | <a href="mitK5license.html" title="MIT Kerberos License information" >next</a> | <a href="genindex.html" title="General Index" >index</a> | <a href="search.html" title="Enter search criteria" >Search</a> | <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__MIT Kerberos features">feedback</a> </div> </div> </div> </body> </html>