Manualshelf

Kerberos Client Version D.1.6.2.09 Release Notes (5990-1526, January 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Kerberos Data Security Software
123456789
Table 3 Encryption types supported by Kerberos Client D.1.6.2.09 (continued)
DescriptionEncryption Type
AES-256 CTS mode with 96-bit SHA-1 HMACaes256-cts-hmac-sha1-96
AES-256 CTS mode with 96-bit SHA-1 HMAC
This encryption type is an alias to the aes256-cts-hmac-sha1-96 encryption
type. If you specify aes256-cts in the configuration file, then it’s behavior
is the same as aes256-cts-hmac-sha1-96.
aes256-cts
What is new in this version
Kerberos Client D.1.6.2.09 is a defect-fix release and does not contain any new features. For
more information on the defects fixed in this release, see “Defect Fixes in this Version (page 9).
Kerberos Client D.1.6.2.09 includes the following new features introduced in D.1.6.2:
Provides thread safety for Kerberos libraries
Provides the following new client commands:
Command for copying service ticket between credential caches - kcpytkt
Command for deleting service ticket from the credential cache - kdeltkt
Provides the following new functions, which are needed for NFSv4:
The gss_krb5_set_allowable_enctypes() function
The gss_krb5_export_lucid_sec_context() function
Provides a plug-in architecture that allows for extension modules to be loaded at run-time
Partial client implementation to handle server name referrals
Security fixes up to version 1.6.2 made by MIT in the open source version of Kerberos Client.
Kerberos Client version D.1.6.2.09 also supports the following features from Kerberos Client
version 1.3.5:
SASL/GSS-API bind to Netscape Directory Server used to fail when SSL was enabled
Support for powerful cryptographic algorithms
This version of Kerberos Client software supports 3DES, AES, and RC4
Support for IPv6
IPv6 support is enabled on this version of Kerberos Client software
Support for TCP
Kerberos Client libraries can now use TCP to connect to the Key Distribution Center (KDC).
Libraries can use TCP to communicate with Microsoft KDCs (domain controllers) if they issue
tickets with excess PAC data.
Security fixes up to version 1.6.2 made by MIT in the open source version of Kerberos Client.
Administrators can now control the behavior of Kerberized login applications that call the
krb5_kuserok API provided by the libkrb5.sl library. In earlier versions of Kerberos
Client, krb5_kuserokchecked the .k5login file in the user's home directory for access
permissions. This enabled users to modify the .k5login file and allow access to other users.
Administrators can now create files with the name .k5login.<username> in the /etc/
krb5/ directory. Administrators can also create symbolic links pointing to the .k5login file
in the user’s home directory. If the/etc/krb5 directory does not exist
krb5_kuserokcontinues to check the .k5login file in the user's home directory. If the/etc/
krb5/ directory exists, the krb5_kuserokAPI ignores any corresponding .k5login files
What is new in this version 7