doc/rst_source/mitK5features.rst

   1 .. highlight:: rst
   2
   3 .. _mitK5features:
   4
   5 MIT Kerberos Features
   6 =====================
   7
   8 http://web.mit.edu/kerberos
   9
  10
  11 Quick facts
  12 -----------
  13
  14    ====================================================== ======================================= =============================================================================
  15     Latest stable  version                                 1.10
  16     Supported versions                                     1.8.6, 1.9.3, 1.10
  17     Release cycle                                          9 - 12 months
  18     Supported platforms/OS distributions                   Solaris
  19                                                                - SPARC
  20                                                                - x86_64/x86
  21                                                            GNU/Linux
  22                                                                - Debian       x86_64/x86
  23                                                                - Ubuntu       x86_64/x86
  24                                                                - RedHat       x86_64/x86
  25                                                            BSD
  26                                                                - NetBSD x86_64/x86
  27     Crypto backends                                        - OpenSSL 1.0\+                          - http://www.openssl.org
  28                                                            - builtin                                - MIT Kerberos native crypto library
  29                                                            - NSS 3.12.9\+                           - Mozilla's Network Security Services.
  30                                                                                                       http://www.mozilla.org/projects/security/pki/nss
  31     Database backends                                      - LDAP
  32                                                            - DB2
  33     krb4 support                                           < 1.8
  34     DES support                                            configurable                             http://k5wiki.kerberos.org/wiki/Projects/Disable_DES
  35     GSS-API S4U extensions                                 1.8+                                     http://msdn.microsoft.com/en-us/library/cc246071
  36                                                                - S4U2Self
  37                                                                - S4U2Proxy
  38     GSS-API naming extensions                              1.8+                                     http://tools.ietf.org/html/draft-ietf-kitten-gssapi-naming-exts-11
  39
  40     GSS-API extensions for storing delegated credentials   1.8+                                     :rfc:`5588`
  41
  42     License                                                :ref:`mitK5license`
  43    ====================================================== ======================================= =============================================================================
  44
  45
  46 Interoperabiity
  47 ---------------
  48
  49 Microsoft
  50 ~~~~~~~~~
  51
  52 Starting from version 1.7:
  53
  54 * Follow client principal referrals in the client library when
  55   obtaining initial tickets.
  56
  57 * KDC can issue realm referrals for service principals based on domain names.
  58
  59 * Extensions supporting DCE RPC, including three-leg GSS context setup
  60   and unencapsulated GSS tokens inside SPNEGO.
  61
  62 * Microsoft GSS_WrapEX, implemented using the gss_iov API, which is
  63   similar to the equivalent SSPI functionality.  This is needed to
  64   support some instances of DCE RPC.
  65
  66 * NTLM recognition support in GSS-API, to facilitate dropping in an
  67   NTLM implementation for improved compatibility with older releases
  68   of Microsoft Windows.
  69
  70 * KDC support for principal aliases, if the back end supports them.
  71   Currently, only the LDAP back end supports aliases.
  72
  73 * Support Microsoft set/change password (RFC 3244) protocol in
  74   kadmind.
  75
  76 * Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which
  77   allows a GSS application to request credential delegation only if
  78   permitted by KDC policy.
  79
  80
  81 Starting from version 1.8:
  82
  83 * Microsoft Services for User (S4U) compatibility`
  84
  85
  86 Heimdal
  87 ~~~~~~~
  88
  89 * Support for reading Heimdal database starting from version 1.8
  90
  91
  92 Feature list
  93 ~~~~~~~~~~~~
  94
  95    =============================================== =========== ============================================
  96     \                                              Available    Additional information
  97    =============================================== =========== ============================================
  98     Credentials delegation                         1.7          :rfc:`5896`
  99     Cross-realm authentication and referrals       1.7          http://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-referrals-12
 100     Master key migration                           1.7          http://k5wiki.kerberos.org/wiki/Projects/Master_Key_Migration
 101     PKINIT                                         1.7          :rfc:`4556`
 102     Anonymous PKINIT                               1.8          :rfc:`6112` http://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit
 103     Constrained delegation                         1.8          http://k5wiki.kerberos.org/wiki/Projects/ConstrainedDelegation
 104     IAKERB                                         1.8          http://tools.ietf.org/html/draft-ietf-krb-wg-iakerb-02
 105     Heimdal bridge plugin for KDC backend          1.8
 106     Advance warning on password expiry             1.9
 107     Camellia encryption (CTS-CMAC mode)            1.9          experimental http://tools.ietf.org/html/draft-ietf-krb-wg-camellia-cts-00
 108     KDC support for SecurID preauthentication      1.9          http://k5wiki.kerberos.org/wiki/Projects/SecurID_SAM_support
 109     kadmin over IPv6                               1.9
 110     Trace logging                                  1.9          http://k5wiki.kerberos.org/wiki/Projects/Trace_logging
 111     GSSAPI/KRB5 multi-realm support
 112     Plugin to test password quality                1.9          http://k5wiki.kerberos.org/wiki/Projects/Password_quality_pluggable_interface
 113     Plugin to synchronize password changes         1.9
 114     Parallel KDC                                   1.9
 115     GS2                                            1.9          :rfc:`5801` :rfc:`5587` http://k5wiki.kerberos.org/wiki/Projects/GS2
 116     Purging old keys                               1.9
 117     Naming extensions for delegation chain         1.9
 118     Password expiration API                        1.9
 119     Windows client support   (build-only)          1.9
 120     pre-auth mechanisms:
 121      - PW-SALT                                                  :rfc:`4120#section-5.2.7.3`
 122      - ENC-TIMESTAMP                                            :rfc:`4120#section-5.2.7.2`
 123      - SAM-2
 124      - FAST negotiation framework                  1.8          :rfc:`6113`
 125      - PKINIT with FAST on client                  1.10         :rfc:`6113`
 126      - PKINIT                                                   :rfc:`4556`
 127      - FX-COOKIE                                                :rfc:`6113#section-5.2`
 128      - S4U-X509-USER                               1.8          http://msdn.microsoft.com/en-us/library/cc246091
 129
 130     PRNG
 131       - modularity:                                   1.9
 132       - Yarrow PRNG                                   < 1.10
 133       - Fortuna PRNG                                  1.9       http://www.schneier.com/book-practical.html
 134       - OS PRNG                                       1.10      OS's native PRNG
 135     Zero configuration
 136     IPv6 support in iprop
 137     Plugin interface for configuration             1.10         http://k5wiki.kerberos.org/wiki/Projects/Pluggable_configuration
 138     Credentials for multiple identities            1.10         http://k5wiki.kerberos.org/wiki/Projects/Client_principal_selection
 139    =============================================== =========== ============================================
 140
 141
 142 Feedback
 143 --------
 144
 145 Please, provide your feedback on this document at
 146 krb5-bugs@mit.edu?subject=Documentation___krb5_implementation_features