New version of MIT Kerberos
The Massachusetts Institute of Technology (MIT) has released version 1.7 of its Kerberos network suite. The previous release, version 1.6.3, contained several known security vulnerabilities (CVE-2009-0844, CVE-2009-0845, CVE-2009-0846 and CVE-2009-0847), which had previously only been fixed in patch form (1, 2).
In addition to fixing the vulnerabilities, Kerberos 1.7 also includes some new security features. The developers have improved security within the Kerberos v5 protocol by marking encryption protocols such as DES (Data Encryption Standard) as weak and adding a configuration variable that by default is set to disable these weak encryption types. Users can re-activate them by using the new allow_weak_crypto setting. Currently MIT Kerberos 1.7 still allows DES by default, likely because of its former use as a US Federal Information Processing standard, but this may change in a future release. MIT's Kerberos experts have also removed support for the Kerberos v4 protocol (krb4), which is now considered to be insecure.
Other changes ensure better compatibility with Microsoft's implementation of the Kerberos protocol. These changes include support for referrals in the client library and the key distribution centre (KDC), NTML recognition in GSSAPI and the ability to furnish Kerberos tickets with authorisation data via plug-ins. In addition, the KDC now supports principal aliases – although it does require an LDAP back end. The principal aliases themselves must be managed directly from LDAP – currently, MIT is not planning an alternative administrative interface.
Kerberos is also converging with the Microsoft world on the issue of delegation of Kerberos credentials. The KDC can now set an OK_AS_DELEGATE ticket flag in order to mark trusted services within the scope of a delegation. As with Microsoft's SSPI implementation, the GSSAPI library can also now evaluate such parameters. A further change affects the replication protocol – replication between master and slave KDCs can now be carried out incrementally.
A full list of changes can be found in the README file for version 1.7 of Kerberos.