tree: b1e838b790c830a8a64b27ed6fb2b6432764ce16 [path history] [tgz]
  1. .gitignore
  2. BUILDING.txt
  6. benchmark/
  7. build-tools/
  8. docs/
  9. kerby-backend/
  10. kerby-common/
  11. kerby-dist/
  12. kerby-kdc-test/
  13. kerby-kdc/
  14. kerby-kerb/
  15. kerby-pkix/
  16. kerby-provider/
  17. kerby-tool/
  18. pom.xml

Apache Kerby

Apache Kerby, as an Apache Directory sub project, is a Java Kerberos binding. It provides a rich, intuitive and interoperable implementation, library, KDC and various facilities that integrates PKI, OTP and token (OAuth2) as desired in modern environments such as cloud, Hadoop and mobile.

The Initiatives/Goals

  • Aims as a Java Kerberos binding, with rich and integrated facilities that integrate Kerberos, PKI and token (OAuth2) for both client and server sides.
  • Provides client APIs at the Kerberos protocol level to interact with a KDC server through AS and TGS exchanges.
  • Provides a standalone KDC server that supports various identity backends including memory based, Json file based, LDAP based and even Zookeeper based.
  • Provides an embedded KDC server that applications can easily integrate into products, unit tests or integration tests.
  • Supports FAST/Preauthentication framework to allow popular and useful authentication mechanisms.
  • Supports PKINIT mechanism to allow clients to request tickets using x509 certificate credentials.
  • Supports Token Preauth mechanism to allow clients to request tickets using JWT tokens.
  • Supports OTP mechanism to allow clients to request tickets using One Time Password.
  • Provides support for JAAS, GSSAPI and SASL frameworks that applications can leverage.
  • Minimal dependencies, the core part is ensured to depend only on JRE and SLF4J, for easy use and maintenance.

KrbClient APIs

A Krb client API for applications to interact with KDC.
Please look at kerb-client for details.


Server side admin facilities.
Please look at kerb-admin for details.


Kerberos Server API.
Please look at kerb-server for details.


A simplified Kdc server. It can be imported by other project to work as a kdc server.
Please look at kerb-simplekdc for details.

ASN-1 support

A model driven ASN-1 encoding and decoding framework implemented with Java.
Please look at kerby-asn1 for details.

How to play with the standalone KDC

Please look at Kerby KDC for details.

Kerberos Crypto and Encryption Types

  • Implementing des, des3, rc4, aes, camellia encryption and corresponding checksum types
  • Interoperates with MIT Kerberos and Microsoft AD
  • Independent of Kerberos code in JRE, but relies on JCE

Similar to MIT krb5 encryption types:

Encryption TypeDescription
des-cbc-crcDES cbc mode with CRC-32 (weak)
des-cbc-md4DES cbc mode with RSA-MD4 (weak)
des-cbc-md5DES cbc mode with RSA-MD5 (weak)
des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kdTriple DES cbc mode with HMAC/sha1
des-hmac-sha1DES with HMAC/sha1 (weak)
aes256-cts-hmac-sha1-96 aes256-cts AES-256CTS mode with 96-bit SHA-1 HMAC
aes128-cts-hmac-sha1-96 aes128-cts AES-128CTS mode with 96-bit SHA-1 HMAC
arcfour-hmac rc4-hmac arcfour-hmac-md5RC4 with HMAC/MD5
arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-expExportable RC4 with HMAC/MD5 (weak)
camellia256-cts-cmac camellia256-ctsCamellia-256 CTS mode with CMAC
camellia128-cts-cmac camellia128-ctsCamellia-128 CTS mode with CMAC
desThe DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak)
des3The triple DES family: des3-cbc-sha1
aesThe AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96
rc4The RC4 family: arcfour-hmac
camelliaThe Camellia family: camellia256-cts-cmac and camellia128-cts-cmac

Identity Backend

A standalone KDC server that can integrate various identity backends including:

  • MemoryIdentityBackend.
    • It is default Identity Backend, and no cofiguration is needed. This backend is for no permanent storage requirements.
  • JsonIdentityBackend.
    • It implemented by Gson which is used to convert Java Objects into their JSON representation and convert a JSON string to an equivalent Java object. A json file will be created in “backend.json.dir”. This backend is for small, easy, development and test environment.
  • ZookeeperIdentityBackend.
    • Currently it uses an embedded Zookeeper. In follow up it will be enhanced to support standalone Zookeeper cluster for replication and reliability. Zookeeper backend would be a good choice for high reliability, high performance and high scalability requirement and scenarios.
  • LdapIdentityBackend.
    • The Ldap server can be standalone or embedded using ApacheDS server as the backend. It is used when there is exist ldap server.
  • MavibotBackend.
    • A backend based on Apache Mavibot(an MVCC BTree library).

Network Support

  • Include UDP and TCP transport.
  • Default KDC server implementation.
    • The Networking Classes in the JDK is used.
  • Netty based KDC server implementation.
    • Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients.
    • With better throughput, lower latency.


  • kinit:
    • Obtains and caches an initial ticket-granting ticket for principal.
  • klist:
    • Lists the Kerby principal and tickets held in a credentials cache, or the keys held in a keytab file.
  • kdcinit:
    • This is used to initialize and prepare all kinds of KDC side materials, like initializing concrete back end, setting up master keys, necessary principals (tgs, kadmin) and etc.
  • kadmin:
    • Command-line interfaces to the Kerby administration system.

Kerby Common Projects

  • kerby-asn1. A model driven ASN-1 encoding and decoding framework
  • kerby-config. A unified configuration API that aims to support various configuration file formats, like XML, INI, even Java Map and Properties.
  • kerby-util. Common utilities used by project.


  • The core part is ensured to only depend on the JRE and SLF4J. Every external dependency is taken carefully and maintained separately.
  • Nimbus JOSE + JWT, needed by token-provider and TokenPreauth mechanism.
  • Netty, needed by netty based KDC server.
  • Zookeeper, needed by zookeeper identity backend.

How to use library

The Apache Kerby is also available as a Maven dependency.

  • Kerby Client API:
  • Kerby Server API:
  • Kerby ASN1:
  • Kerby Simple KDC:
  • please replace the ${kerby-version} with the release version.
  • Apache Kerby 1.0.0-RC1 is the latest release and recommended version for all users.


Apache License V2.0

How to contribute



  • March 14th 2016, Apache Kerby 1.0.0-RC2 is released.
  • Sep 23 2015, the first release 1.0.0-RC1 of Kerby was released.

Apache Kerby 1.0.0 Release Notes


[DIRKRB-247] - Kerby's KDC supports MIT's kinit
[DIRKRB-421] - Define transaction API for identity backend
[DIRKRB-422] - Enhance json backend to support transaction for reasonable efficiency
[DIRKRB-478] - Refine and enhance the client side library
[DIRKRB-524] - XDR (RFC 4506) support


[DIRKRB-583] - Validate payload length declared in keytab
[DIRKRB-584] - NPE if the token issuers value is not specified
[DIRKRB-585] - Allow for optional expiry + NotBefore claims when processing a JWT token
[DIRKRB-586] - NPE in KdcHandler on an Exception
[DIRKRB-613] - Tests fails on systems with includedir in /etc/krb5.conf
[DIRKRB-621] - 0x502 version keytab with multiple entries are not read properly
[DIRKRB-624] - KdcServerTest failed with exception
[DIRKRB-626] - Some improvement work for exception handling
[DIRKRB-627] - Kerby hangs when the service principal is not known


[DIRKRB-416] - Allow to support transaction for backend
[DIRKRB-459] - Enhance the support for MIT krb5.conf configuration format
[DIRKRB-482] - Break down KrbOption
[DIRKRB-587] - Load JWT verification key from classpath as well
[DIRKRB-588] - Support validation keys in different formats
[DIRKRB-607] - Improve Simple KDC Server to be thread safe
[DIRKRB-623] - Move the backend releated tests to backend modules


[DIRKRB-155] - Add the missing Javadoc for kerby-asn1 module
[DIRKRB-532] - Encode and decode XDR: Union and Struct

Apache Kerby 1.0.0-RC2 Release Notes

105 JIRA issues were resolved and with the following Features and important changes since 1.0.0-RC1:

    1. Anonymous PKINIT support(BETA): allows a client to obtain anonymous credentials without authenticating as any particular principal.
    1. Finished token support:
    • Add ability to encrypt and sign using non-RSA keys;
    • Get the verify key for signed JWT token from kdc config;
    • Token issuer must be trusted as one of preconfigured issuers;
    • Add support for decrypting JWT tokens in the KDC.
    1. PKIX CMS/X509 support.
    1. BER encoding support.
    1. Improved the ASN1 framework:
    • Separate Asn1 parser;
    • Support decoding of primitive but constructed encoded types;
    • Allow to define explicit and implicit fields more easily for collection types;
    • Providing an API to use some useful ASN1 functions by consolidating existing utilities
    1. Dump support for Asn1.
    • provide an ASN1 dumping tool for troubleshooting
    1. Separate KrbClient, KrbTokenClient, and KrbPkinitClient APIs.