krb5-pkinit - PKINIT plugin for MIT Kerberos

Property Value
Distribution Debian 8 (Jessie)
Repository Debian Main amd64
Package name krb5-pkinit
Package version 1.12.1+dfsg
Package release 19+deb8u4
Package architecture amd64
Package type deb
Installed size 198 B
Download size 82.19 KB
Official Mirror
Kerberos is a system for authenticating users and services on a network.
Kerberos is a trusted third-party service.  That means that there is a
third party (the Kerberos server) that is trusted by all the entities on
the network (users and services, usually called "principals").
This is the MIT reference implementation of Kerberos V5.
This package contains a plugin for the PKINIT protocol, which allows
Kerberos tickets to be obtained using public-key credentials such as
X.509 certificates or a smart card.  This plugin can be used by the
client libraries and the KDC.


Package Version Architecture Repository
krb5-pkinit_1.12.1+dfsg-19+deb8u4_i386.deb 1.12.1+dfsg i386 Debian Main
krb5-pkinit - - -


Name Value
libc6 >= 2.14
libcomerr2 >= 1.01
libk5crypto3 >= 1.8+dfsg
libkeyutils1 >= 1.4
libkrb5-3 = 1.12.1+dfsg-19+deb8u4
libkrb5support0 >= 1.12~alpha1+dfsg
libssl1.0.0 >= 1.0.0


Type URL
Binary Package krb5-pkinit_1.12.1+dfsg-19+deb8u4_amd64.deb
Source Package krb5

Install Howto

  1. Update the package index:
    # sudo apt-get update
  2. Install krb5-pkinit deb package:
    # sudo apt-get install krb5-pkinit




2017-08-28 - Sam Hartman <>
krb5 (1.12.1+dfsg-19+deb8u4) jessie; urgency=medium
* New version number; same code as deb8u3 but rebuilt to build arch all
packages and because dgit doesn't deal well with reusing a version
number when a package is rejected
2017-08-13 - Sam Hartman <>
krb5 (1.12.1+dfsg-19+deb8u3) jessie; urgency=high
* CVE-2017-11368: Remote authenticated attackers can crash the KDC,
Closes: #869260
*  fix for CVE-2016-3120 (kdc crash on restrict_anon_to_tgt), Closes:
* fix for CVE-2016-3119: remote DOS with ldap for authenticated
attackers, Closes: #819468
* Prevent requires_preauth bypass (CVE-2015-2694), Closes: #783557
2016-01-31 - Salvatore Bonaccorso <>
krb5 (1.12.1+dfsg-19+deb8u2) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
* Verify decoded kadmin C strings [CVE-2015-8629]
CVE-2015-8629: An authenticated attacker can cause kadmind to read
beyond the end of allocated memory by sending a string without a
terminating zero byte. Information leakage may be possible for an
attacker with permission to modify the database. (Closes: #813296)
* Check for null kadm5 policy name [CVE-2015-8630]
CVE-2015-8630: An authenticated attacker with permission to modify a
principal entry can cause kadmind to dereference a null pointer by
supplying a null policy value but including KADM5_POLICY in the mask.
(Closes: #813127)
* Fix leaks in kadmin server stubs [CVE-2015-8631]
CVE-2015-8631: An authenticated attacker can cause kadmind to leak
memory by supplying a null principal name in a request which uses one.
Repeating these requests will eventually cause kadmind to exhaust all
available memory. (Closes: #813126)
2015-11-04 - Benjamin Kaduk <>
krb5 (1.12.1+dfsg-19+deb8u1) jessie-security; urgency=high
* Import upstream patches for four CVEs:
- CVE-2015-2695: SPNEGO context aliasing during establishment,
Closes: #803083
- CVE-2015-2696: IAKERB context aliasing during establishment,
Closes: #803084
- CVE-2015-2697: unsafe string handling in TGS processing,
Closes: #803088
- CVE-2015-2698: regression (memory corruption) in patch for CVE-2015-2696
* In addition to CVE-2015-2698, the upstream patches for CVE-2015-2695
and CVE-2015-2696 introduced regressions preventing the use of
gss_import_sec_context() with contexts established using IAKERB
or SPNEGO; the fixes for those regressions are included here.
2015-03-20 - Sam Hartman <>
krb5 (1.12.1+dfsg-19) unstable; urgency=medium
* mark systemd unit directories as optional, Closes: #780831
2015-02-18 - Benjamin Kaduk <>
krb5 (1.12.1+dfsg-18) unstable; urgency=high
* Import upstream patch for CVE-2014-5355, Closes: #778647
2015-02-03 - Sam Hartman <>
krb5 (1.12.1+dfsg-17) unstable; urgency=high
* MITKRB5-SA-2015-001
- CVE-2014-5352: gss_process_context_token() incorrectly frees context
- CVE-2014-9421: kadmind doubly frees partial deserialization results
- CVE-2014-9422: kadmind incorrectly validates server principal name  
- CVE-2014-9423: libgssrpc server applications leak uninitialized bytes
2014-12-15 - Benjamin Kaduk <>
krb5 (1.12.1+dfsg-16) unstable; urgency=medium
* Import upstream patches for CVE-2014-5353 and CVE-2014-5354,
Closes: #773226, Closes: #773228
2014-11-21 - Benjamin Kaduk <>
krb5 (1.12.1+dfsg-15) unstable; urgency=medium
* Also apply slapd-before-kdc.conf to krb5-admin-server.service.d,
Closes: #769710
2014-11-07 - Benjamin Kaduk <>
krb5 (1.12.1+dfsg-14) unstable; urgency=medium
* The upstream patch in 1.12.1+dfsg-13 was incomplete; pull in
another upstream patch upon which it depended, to fix the
kfreebsd build, Closes: #768379

See Also

Package Description
krb5-strength_3.0-1_amd64.deb Password strength checking for Kerberos KDCs
krb5-sync-plugin_3.0-4_amd64.deb MIT Kerberos Active Directory synchronization plugin
krb5-sync-tools_3.0-4_amd64.deb Kerberos Active Directory synchronization tools
krb5-user_1.12.1+dfsg-19+deb8u4_amd64.deb Basic programs to authenticate using MIT Kerberos
krdc_4.14.1-1_amd64.deb Remote Desktop Connection client
krecipes-data_2.0~beta2-3_all.deb recipes manager for KDE - data files
krecipes-doc_2.0~beta2-3_all.deb recipes manager for KDE - documentation
krecipes_2.0~beta2-3_amd64.deb recipes manager for KDE
kredentials_2.0~pre3-1.1_amd64.deb KDE taskbar applet to update kerberos/AFS credentials
kremotecontrol_4.14.2-1_amd64.deb frontend for using remote controls
krename_4.0.9-3+b1_amd64.deb powerful batch renamer for KDE
kreversi_4.13.1-1_amd64.deb reversi board game
krfb_4.14.2-1_amd64.deb Desktop Sharing utility
krita-data_2.8.5+dfsg-1_all.deb data files for Krita painting program
krita-gemini_2.8.5+dfsg-1+b2_amd64.deb fusion between Krita Sketch and Krita Desktop