krb5 commit [krb5-1.18]: Update README for krb5-1.18

Greg Hudson ghudson at mit.edu
Wed Jan 8 14:43:10 EST 2020 

https://github.com/krb5/krb5/commit/835fe85173ee8fb5b0c27bb44c9a171f8d151dc9
commit 835fe85173ee8fb5b0c27bb44c9a171f8d151dc9
Author: Greg Hudson <ghudson at mit.edu>
Date:   Wed Jan 8 14:40:08 2020 -0500

    Update README for krb5-1.18

 README |  127 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 127 insertions(+), 0 deletions(-)

diff --git a/README b/README
index 1284065..64ad0b6 100644
--- a/README
+++ b/README
@@ -76,9 +76,126 @@ beginning with krb5-1.8.
 Major changes in 1.18
 ---------------------
 
+Administrator experience:
+
+* Remove support for single-DES encryption types.
+
+* Change the replay cache format to be more efficient and robust.
+  Replay cache filenames using the new format end with ".rcache2" by
+  default.
+
+* setuid programs will automatically ignore environment variables that
+  normally affect krb5 API functions, even if the caller does not use
+  krb5_init_secure_context().
+
+* Add an "enforce_ok_as_delegate" krb5.conf relation to disable
+  credential forwarding during GSSAPI authentication unless the KDC
+  sets the ok-as-delegate bit in the service ticket.
+
+Developer experience:
+
+* Implement krb5_cc_remove_cred() for all credential cache types.
+
+* Add the krb5_pac_get_client_info() API to get the client account
+  name from a PAC.
+
+Protocol evolution:
+
+* Add KDC support for S4U2Self requests where the user is identified
+  by X.509 certificate.  (Requires support for certificate lookup from
+  a third-party KDB module.)
+
+* Remove support for an old ("draft 9") variant of PKINIT.
+
+* Add support for Microsoft NegoEx.  (Requires one or more third-party
+  GSS modules implementing NegoEx mechanisms.)
+
+User experience:
+
+* Add support for "dns_canonicalize_hostname=fallback""`, causing
+  host-based principal names to be tried first without DNS
+  canonicalization, and again with DNS canonicalization if the
+  un-canonicalized server is not found.
+
+* Expand single-component hostnames in hhost-based principal names
+  when DNS canonicalization is not used, adding the system's first DNS
+  search path as a suffix.  Add a "qualify_shortname" krb5.conf
+  relation to override this suffix or disable expansion.
+
+Code quality:
+
+* The libkrb5 serialization code (used to export and import krb5 GSS
+  security contexts) has been simplified and made type-safe.
+
+* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED d
+  messages has been revised to conform to current coding practices.
+
+* The test suite has been modified to work with macOS System Integrity
+  Protection enabled.
+
+* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11
+  support can always be tested.
+
 krb5-1.18 changes by ticket ID
 ------------------------------
 
+5891    kdb_ldap should treat entries with "nsAccountLock: true" as locked
+7135    gssapi mechanism glue dlcloses objects potentially after they are already unloaded
+7765    Some ccache functions not exported
+7871    KDC should not fail requests due to forwardable/proxiable option
+8349    use __APPLE_USE_RFC_3542 to get IPV6_PKTINFO on Mac OS X
+8761    ksu doesn't allow acquisition of non-forwardable tickets
+8764    get_creds can add redundant cache entry for referral ticket
+8765    Add dns_canonicalize_hostname=fallback support
+8773    Mark deprecated enctypes when used
+8775    Process SPNEGO error tokens through mech
+8777    S4U2Self with X.509 certificate bugs
+8778    Add new kvno protocol transition options
+8780    Expand S4U2Self exception in KDC lineage check
+8781    Add KDC support for X.509 S4U2Self requests
+8784    Use better name type for PKINIT KDC certs
+8785    Use memory replay cache for DO_TIME auth contexts
+8786    Hash-based replay cache implementation
+8788    Rename configure.in to configure.ac
+8791    Add option to build without libkeyutils
+8792    Implement krb5_cc_remove_cred for remaining types
+8793    Remove srvtab support
+8794    Remove kadmin RPC support for setting v4 key
+8795    configure: chech for libncursesw, if libncurses is not found
+8798    Remove ovsec_adm_export dump format support
+8799    Check more errors in OpenSSL crypto backend
+8800    Add secure_getenv() support
+8804    Remove checksum type profile variables
+8805    Modernize example enctypes in documentation
+8806    kdb5_util errors on command arguments matching command names
+8807    Set a more modern default ksu CMD_PATH
+8808    Remove single-DES support
+8811    In klist, display ticket server if different
+8812    Remove support for no-flags SAM-2 preauth
+8815    Verify PAC client name independently of name-type
+8816    kproplog cannot display LOCKDOWN_KEYS attribute
+8817    Remove PKINIT draft 9 support
+8819    gss_set_allowable_enctypes() fails if any enctypes aren't recognized
+8823    Allow the KDB to see and modify auth indicators
+8827    Change definition of KRB5_KDB_FLAG_CROSS_REALM
+8828    Add API to get client account name from PAC
+8829    Fix authdata signatures for non-TGT AS-REQs
+8833    Add environment variable for GSS mech config
+8842    Record start time of AS requests earlier in KDC
+8843    Allow client canonicalization in non-krbtgt AS-REP
+8844    SPNEGO should filter mechs on acceptor with gss_acquire_cred()
+8845    SPNEGO init/accept output parameter bugs
+8847    Add enforce_ok_as_delegate setting
+8849    Install gssapi/gssapi_alloc.h properly
+8851    NegoEx
+8855    Qualify short hostnames when not using DNS
+8856    segfault in krb5-1.17.1/src/lib/krb5/krb/authdata.c
+8857    Don't warn in kadmin when no policy is specified
+8858    Do not always canonicalize enterprise principals
+8859    Remove KRB5_KDB_FLAG_ALIAS_OK
+8860    Allow kprop over NATs
+8861    Fix LDAP policy enforcement of pw_expiration
+
 Acknowledgements
 ----------------
 
@@ -179,6 +296,7 @@ reports, suggestions, and valuable resources:
     Brian Almeida
     Michael B Allen
     Pooja Anil
+    Jeffrey Arbuckle
     Heinz-Ado Arnolds
     Derek Atkins
     Mark Bannister
@@ -189,6 +307,7 @@ reports, suggestions, and valuable resources:
     Adam Bernstein
     Arlene Berry
     Jeff Blaine
+    Toby Blake
     Radoslav Bodo
     Sumit Bose
     Emmanuel Bouillon
@@ -236,6 +355,7 @@ reports, suggestions, and valuable resources:
     Remi Ferrand
     Paul Fertser
     Fabiano Fidêncio
+    Frank Filz
     William Fiveash
     Jacques Florent
     Ákos Frohner
@@ -271,6 +391,7 @@ reports, suggestions, and valuable resources:
     Pavel Jindra
     Brian Johannesmeyer
     Joel Johnson
+    Lutz Justen
     Alexander Karaivanov
     Anders Kaseorg
     Bar Katz
@@ -279,11 +400,13 @@ reports, suggestions, and valuable resources:
     W. Trevor King
     Patrik Kis
     Martin Kittel
+    Thomas Klausner
     Matthew Krupcale
     Mikkel Kruse
     Reinhard Kugler
     Tomas Kuthan
     Pierre Labastie
+    Andreas Ladanyi
     Chris Leick
     Volker Lendecke
     Jan iankko Lieskovsky
@@ -298,6 +421,7 @@ reports, suggestions, and valuable resources:
     Ryan Lynch
     Roland Mainz
     Sorin Manolache
+    Robert Marshall
     Andrei Maslennikov
     Michael Mattioli
     Nathaniel McCallum
@@ -318,7 +442,9 @@ reports, suggestions, and valuable resources:
     Andrej Ota
     Dmitri Pal
     Javier Palacios
+    Dilyan Palauzov
     Tom Parker
+    Eric Pauly
     Ezra Peisach
     Alejandro Perez
     Zoran Pericic
@@ -343,6 +469,7 @@ reports, suggestions, and valuable resources:
     Paul Seyfert
     Tom Shaw
     Jim Shi
+    Jerry Shipman
     Peter Shoults
     Richard Silverman
     Cel Skeggs

More information about the cvs-krb5 mailing list