1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>MIT Kerberos features — MIT Kerberos Documentation</title>
<link rel="stylesheet" href="_static/agogo.css" type="text/css" />
<link rel="stylesheet" href="_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="_static/kerb.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '',
VERSION: '1.12.1',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true
};
</script>
<script type="text/javascript" src="_static/jquery.js"></script>
<script type="text/javascript" src="_static/underscore.js"></script>
<script type="text/javascript" src="_static/doctools.js"></script>
<link rel="author" title="About these documents" href="about.html" />
<link rel="copyright" title="Copyright" href="copyright.html" />
<link rel="top" title="MIT Kerberos Documentation" href="index.html" />
<link rel="next" title="MIT Kerberos License information" href="mitK5license.html" />
<link rel="prev" title="Supported date and time formats" href="basic/date_format.html" />
</head>
<body>
<div class="header-wrapper">
<div class="header">
<h1><a href="index.html">MIT Kerberos Documentation</a></h1>
<div class="rel">
<a href="index.html" title="Full Table of Contents"
accesskey="C">Contents</a> |
<a href="basic/date_format.html" title="Supported date and time formats"
accesskey="P">previous</a> |
<a href="mitK5license.html" title="MIT Kerberos License information"
accesskey="N">next</a> |
<a href="genindex.html" title="General Index"
accesskey="I">index</a> |
<a href="search.html" title="Enter search criteria"
accesskey="S">Search</a> |
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__MIT Kerberos features">feedback</a>
</div>
</div>
</div>
<div class="content-wrapper">
<div class="content">
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body">
<div class="toctree-wrapper compound">
</div>
<div class="section" id="mit-kerberos-features">
<span id="mitk5features"></span><h1>MIT Kerberos features<a class="headerlink" href="#mit-kerberos-features" title="Permalink to this headline">¶</a></h1>
<p><a class="reference external" href="http://web.mit.edu/kerberos">http://web.mit.edu/kerberos</a></p>
<div class="section" id="quick-facts">
<h2>Quick facts<a class="headerlink" href="#quick-facts" title="Permalink to this headline">¶</a></h2>
<p>License - <a class="reference internal" href="mitK5license.html#mitk5license"><em>MIT Kerberos License information</em></a></p>
<dl class="docutils">
<dt>Releases:</dt>
<dd><ul class="first last simple">
<li>Latest stable: <a class="reference external" href="http://web.mit.edu/kerberos/krb5-1.11/">http://web.mit.edu/kerberos/krb5-1.11/</a></li>
<li>Supported: <a class="reference external" href="http://web.mit.edu/kerberos/krb5-1.10/">http://web.mit.edu/kerberos/krb5-1.10/</a></li>
<li>Release cycle: 9 – 12 months</li>
</ul>
</dd>
<dt>Supported platforms / OS distributions:</dt>
<dd><ul class="first last simple">
<li>Windows (KfW 4.0): Windows 7, Vista, XP</li>
<li>Solaris: SPARC, x86_64/x86</li>
<li>GNU/Linux: Debian x86_64/x86, Ubuntu x86_64/x86, RedHat x86_64/x86</li>
<li>BSD: NetBSD x86_64/x86</li>
</ul>
</dd>
<dt>Crypto backends:</dt>
<dd><ul class="first last simple">
<li>builtin - MIT Kerberos native crypto library</li>
<li>OpenSSL (1.0+) - <a class="reference external" href="http://www.openssl.org">http://www.openssl.org</a></li>
<li>NSS (3.12.9+) - <a class="reference external" href="http://www.mozilla.org/projects/security/pki/nss">http://www.mozilla.org/projects/security/pki/nss</a></li>
</ul>
</dd>
</dl>
<p>Database backends: LDAP, DB2</p>
<p>krb4 support: Kerberos 5 release < 1.8</p>
<p>DES support: configurable (See <a class="reference internal" href="admin/advanced/retiring-des.html#retiring-des"><em>Retiring DES</em></a>)</p>
</div>
<div class="section" id="interoperability">
<h2>Interoperability<a class="headerlink" href="#interoperability" title="Permalink to this headline">¶</a></h2>
<p><cite>Microsoft</cite></p>
<p>Starting from release 1.7:</p>
<ul class="simple">
<li>Follow client principal referrals in the client library when
obtaining initial tickets.</li>
<li>KDC can issue realm referrals for service principals based on domain names.</li>
<li>Extensions supporting DCE RPC, including three-leg GSS context setup
and unencapsulated GSS tokens inside SPNEGO.</li>
<li>Microsoft GSS_WrapEX, implemented using the gss_iov API, which is
similar to the equivalent SSPI functionality. This is needed to
support some instances of DCE RPC.</li>
<li>NTLM recognition support in GSS-API, to facilitate dropping in an
NTLM implementation for improved compatibility with older releases
of Microsoft Windows.</li>
<li>KDC support for principal aliases, if the back end supports them.
Currently, only the LDAP back end supports aliases.</li>
<li>Support Microsoft set/change password (<span class="target" id="index-0"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc3244.html"><strong>RFC 3244</strong></a>) protocol in
kadmind.</li>
<li>Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which
allows a GSS application to request credential delegation only if
permitted by KDC policy.</li>
</ul>
<p>Starting from release 1.8:</p>
<ul class="simple">
<li>Microsoft Services for User (S4U) compatibility</li>
</ul>
<p><cite>Heimdal</cite></p>
<ul class="simple">
<li>Support for reading Heimdal database starting from release 1.8</li>
</ul>
</div>
<div class="section" id="feature-list">
<h2>Feature list<a class="headerlink" href="#feature-list" title="Permalink to this headline">¶</a></h2>
<p>For more information on the specific project see <a class="reference external" href="http://k5wiki.kerberos.org/wiki/Projects">http://k5wiki.kerberos.org/wiki/Projects</a></p>
<dl class="docutils">
<dt>Release 1.7</dt>
<dd><ul class="first last simple">
<li>Credentials delegation <span class="target" id="index-1"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc5896.html"><strong>RFC 5896</strong></a></li>
<li>Cross-realm authentication and referrals <span class="target" id="index-2"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc6806.html"><strong>RFC 6806</strong></a></li>
<li>Master key migration</li>
<li>PKINIT <span class="target" id="index-3"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a> <a class="reference internal" href="admin/pkinit.html#pkinit"><em>PKINIT configuration</em></a></li>
</ul>
</dd>
<dt>Release 1.8</dt>
<dd><ul class="first last simple">
<li>Anonymous PKINIT <span class="target" id="index-4"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc6112.html"><strong>RFC 6112</strong></a> <a class="reference internal" href="admin/pkinit.html#anonymous-pkinit"><em>Anonymous PKINIT</em></a></li>
<li>Constrained delegation</li>
<li>IAKERB <a class="reference external" href="http://tools.ietf.org/html/draft-ietf-krb-wg-iakerb-02">http://tools.ietf.org/html/draft-ietf-krb-wg-iakerb-02</a></li>
<li>Heimdal bridge plugin for KDC backend</li>
<li>GSS-API S4U extensions <a class="reference external" href="http://msdn.microsoft.com/en-us/library/cc246071">http://msdn.microsoft.com/en-us/library/cc246071</a></li>
<li>GSS-API naming extensions <span class="target" id="index-5"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc6680.html"><strong>RFC 6680</strong></a></li>
<li>GSS-API extensions for storing delegated credentials <span class="target" id="index-6"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc5588.html"><strong>RFC 5588</strong></a></li>
</ul>
</dd>
<dt>Release 1.9</dt>
<dd><ul class="first last simple">
<li>Advance warning on password expiry</li>
<li>Camellia encryption (CTS-CMAC mode) <span class="target" id="index-7"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc6803.html"><strong>RFC 6803</strong></a></li>
<li>KDC support for SecurID preauthentication</li>
<li>kadmin over IPv6</li>
<li>Trace logging <a class="reference internal" href="admin/troubleshoot.html#trace-logging"><em>Trace logging</em></a></li>
<li>GSSAPI/KRB5 multi-realm support</li>
<li>Plugin to test password quality <a class="reference internal" href="plugindev/pwqual.html#pwqual-plugin"><em>Password quality interface (pwqual)</em></a></li>
<li>Plugin to synchronize password changes <a class="reference internal" href="plugindev/kadm5_hook.html#kadm5-hook-plugin"><em>KADM5 hook interface (kadm5_hook)</em></a></li>
<li>Parallel KDC</li>
<li>GSS-API extentions for SASL GS2 bridge <span class="target" id="index-8"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc5801.html"><strong>RFC 5801</strong></a> <span class="target" id="index-9"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc5587.html"><strong>RFC 5587</strong></a></li>
<li>Purging old keys</li>
<li>Naming extensions for delegation chain</li>
<li>Password expiration API</li>
<li>Windows client support (build-only)</li>
<li>IPv6 support in iprop</li>
</ul>
</dd>
<dt>Release 1.10</dt>
<dd><ul class="first last simple">
<li>Plugin interface for configuration <a class="reference internal" href="plugindev/profile.html#profile-plugin"><em>Configuration interface (profile)</em></a></li>
<li>Credentials for multiple identities <a class="reference internal" href="plugindev/ccselect.html#ccselect-plugin"><em>Credential cache selection interface (ccselect)</em></a></li>
</ul>
</dd>
<dt>Release 1.11</dt>
<dd><ul class="first last simple">
<li>Client support for FAST OTP <span class="target" id="index-10"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc6560.html"><strong>RFC 6560</strong></a></li>
<li>GSS-API extensions for credential locations</li>
<li>Responder mechanism</li>
</ul>
</dd>
</dl>
<p><cite>Pre-authentication mechanisms</cite></p>
<ul class="simple">
<li>PW-SALT <span class="target" id="index-11"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4120.html#section-5.2.7.3"><strong>RFC 4120</strong></a></li>
<li>ENC-TIMESTAMP <span class="target" id="index-12"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4120.html#section-5.2.7.2"><strong>RFC 4120</strong></a></li>
<li>SAM-2</li>
<li>FAST negotiation framework (release 1.8) <span class="target" id="index-13"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc6113.html"><strong>RFC 6113</strong></a></li>
<li>PKINIT with FAST on client (release 1.10) <span class="target" id="index-14"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc6113.html"><strong>RFC 6113</strong></a></li>
<li>PKINIT <span class="target" id="index-15"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a></li>
<li>FX-COOKIE <span class="target" id="index-16"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc6113.html#section-5.2"><strong>RFC 6113</strong></a></li>
<li>S4U-X509-USER (release 1.8) <a class="reference external" href="http://msdn.microsoft.com/en-us/library/cc246091">http://msdn.microsoft.com/en-us/library/cc246091</a></li>
</ul>
<p><cite>PRNG</cite></p>
<ul class="simple">
<li>modularity (release 1.9)</li>
<li>Yarrow PRNG (release < 1.10)</li>
<li>Fortuna PRNG (release 1.9) <a class="reference external" href="http://www.schneier.com/book-practical.html">http://www.schneier.com/book-practical.html</a></li>
<li>OS PRNG (release 1.10) OS’s native PRNG</li>
</ul>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="sidebar">
<h2>On this page</h2>
<ul>
<li><a class="reference internal" href="#">MIT Kerberos features</a><ul>
<li><a class="reference internal" href="#quick-facts">Quick facts</a></li>
<li><a class="reference internal" href="#interoperability">Interoperability</a></li>
<li><a class="reference internal" href="#feature-list">Feature list</a></li>
</ul>
</li>
</ul>
<br/>
<h2>Table of contents</h2>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="user/index.html">For users</a></li>
<li class="toctree-l1"><a class="reference internal" href="admin/index.html">For administrators</a></li>
<li class="toctree-l1"><a class="reference internal" href="appdev/index.html">For application developers</a></li>
<li class="toctree-l1"><a class="reference internal" href="plugindev/index.html">For plugin module developers</a></li>
<li class="toctree-l1"><a class="reference internal" href="build/index.html">Building Kerberos V5</a></li>
<li class="toctree-l1"><a class="reference internal" href="basic/index.html">Kerberos V5 concepts</a></li>
<li class="toctree-l1 current"><a class="current reference internal" href="">MIT Kerberos features</a><ul class="simple">
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="build_this.html">How to build this documentation from the source</a></li>
<li class="toctree-l1"><a class="reference internal" href="about.html">Contributing to the MIT Kerberos Documentation</a></li>
<li class="toctree-l1"><a class="reference internal" href="resources.html">Resources</a></li>
</ul>
<br/>
<h4><a href="index.html">Full Table of Contents</a></h4>
<h4>Search</h4>
<form class="search" action="search.html" method="get">
<input type="text" name="q" size="18" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
<div class="clearer"></div>
</div>
</div>
<div class="footer-wrapper">
<div class="footer" >
<div class="right" ><i>Release: 1.12.1</i><br />
© <a href="copyright.html">Copyright</a> 1985-2013, MIT.
</div>
<div class="left">
<a href="index.html" title="Full Table of Contents"
>Contents</a> |
<a href="basic/date_format.html" title="Supported date and time formats"
>previous</a> |
<a href="mitK5license.html" title="MIT Kerberos License information"
>next</a> |
<a href="genindex.html" title="General Index"
>index</a> |
<a href="search.html" title="Enter search criteria"
>Search</a> |
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__MIT Kerberos features">feedback</a>
</div>
</div>
</div>
</body>
</html>
|
