Kerberos Client

Administrators can now control the behavior of Kerberized login applications that call the krb5_kuserok() API provided by the libkrb5.sl library. In earlier versions of Kerberos Client, krb5_kuserok() checked the .k5login file in the user’s home directory for access permissions. This enabled users to modify the .k5login file and allow access to others.

Administrators can now create files with the name .k5login.username in the /etc/krb5 directory. Administrators can also create symbolic links pointing to the .k5login file in the user’s home directory. If the /etc/krb5 directory does not exist, krb5_kuserok() continues to check the .k5login file in the user’s home directory. If the /etc/krb5 directory exists, the krb5_kuserok() API ignores any corresponding .k5login files in the user’s home directory while making authorization decisions. The format of the entries in the new files in /etc/krb5 continues to be the same as that of the .k5login file in the user’s home directory.

SASL/GSS-API bind to Netscape Directory Server used to fail when SSL was enabled. This problem has been fixed in this release.

Support for powerful cryptographic algorithms like 3DES, RC4, and AES

Support for IPv6

Support for TCP. Kerberos Client libraries can now use TCP to connect to KDC. Libraries can use TCP to communicate with Microsoft KDCs (domain controllers) if they issue tickets with excessive PAC data.

All relevant security fixes up to version 1.5.1 made by MIT in the open source version of Kerberos Client