krb5 (1.8+dfsg~alpha1-1) unstable; urgency=low This version of MIT Kerberos disables DES and 56-bit RC4 by default. These encryption types are generally regarded as weak; defeating them is well within the expected resources of some attackers. However, some applications, such as OpenAFS or Kerberized NFS, still rely on DES. To re-enable DES support add allow_weak_crypto=true to the libdefaults section of /etc/krb5.conf -- Sam Hartman Fri, 08 Jan 2010 22:41:14 -0500 krb5 (1.6.dfsg.4~beta1-7) unstable; urgency=low * In response to MIT's 2006 announcement that Kerberos 4 is at end of life and no longer under development, this version of the krb5 package removes most support for krb4. In particular, krb4 headers are no longer included; applications with krb4 support cannot be built using libkrb5-dev. In addition, krb4 support has been removed from the KDC and user utilities. If you do not use Kerberos 4 and do not have krb4-config installed, you should notice no changes. However, if you do use Kerberos 4, you must transition away from Kerberos 4 before upgrading to this version. * Downgrading from this version to a previous version can be difficult because of library name changes. Please follow these instructions: - Get the libkrb53 and libkadm55 debs you want to downgrade to -dpkg --force-depends --remove libkrb5-3 libkrb5support0 libdes425-3 libgssapi-krb5-2 libgssrpc4 libkadm5clnt5 libkadm5srv5 libkdb5-4 libk5crypto3 - At this point your system has broken Kerberos libraries - dpkg -i libkrb53*deb libkadm55*deb (using the debs you got above) - aptitude -f install to fix any other packages that may be broken -- Sam Hartman Thu, 26 Feb 2009 21:12:41 -0500 krb5 (1.6.1-1) unstable; urgency=low * Note that in this version, the behavior for finding what realm a server lives in has changed. In particular, if there is no domain_realm entry in krb5.conf, a server will assume that its key lives in the default realm set in krb5.conf. Previous versions would strip the hostname from the domain of the server. So, if the server's key is not in the default realm, add a domain_realm mapping. Clients still use DNS as a heuristic in some cases. -- Sam Hartman Wed, 25 Apr 2007 23:40:13 -0400