krb5 commit [krb5-1.15]: Update README for krb5-1.15
Tom Yu
tlyu at mit.edu
Wed Oct 19 15:44:39 EDT 2016
https://github.com/krb5/krb5/commit/5b2df4b3694b09d21d3b94e5420363e37f6df748
commit 5b2df4b3694b09d21d3b94e5420363e37f6df748
Author: Tom Yu <tlyu at mit.edu>
Date: Mon Oct 17 17:01:01 2016 -0400
Update README for krb5-1.15
[ci skip]
README | 128 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 files changed, 126 insertions(+), 2 deletions(-)
diff --git a/README b/README
index 685d291..cb9914c 100644
--- a/README
+++ b/README
@@ -73,12 +73,132 @@ from using single-DES cryptosystems. Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.
-Major changes in 1.14
+Major changes in 1.15
---------------------
-krb5-1.14 changes by ticket ID
+Administrator experience:
+
+* Add support to kadmin for remote extraction of current keys without
+ changing them (requires a special kadmin permission that is excluded
+ from the wildcard permission), with the exception of highly
+ protected keys.
+
+* Add a lockdown_keys principal attribute to prevent retrieval of the
+ principal's keys (old or new) via the kadmin protocol. In newly
+ created databases, this attribute is set on the krbtgt and kadmin
+ principals.
+
+* Restore recursive dump capability for DB2 back end, so sites can
+ more easily recover from database corruption resulting from power
+ failure events.
+
+* Add DNS auto-discovery of KDC and kpasswd servers from URI records,
+ in addition to SRV records. URI records can convey TCP and UDP
+ servers and master KDC status in a single DNS lookup, and can also
+ point to HTTPS proxy servers.
+
+* Add support for password history to the LDAP back end.
+
+* Add support for principal renaming to the LDAP back end.
+
+* Use the getrandom system call on supported Linux kernels to avoid
+ blocking problems when getting entropy from the operating system.
+
+Code quality:
+
+* Clean up numerous compilation warnings.
+
+* Remove various infrequently built modules, including some preauth
+ modules that were not built by default.
+
+Developer experience:
+
+* Add support for building with OpenSSL 1.1.
+
+* Use SHA-256 instead of MD5 for (non-cryptographic) hashing of
+ authenticators in the replay cache. This helps sites that must
+ build with FIPS 140 conformant libraries that lack MD5.
+
+Protocol evolution:
+
+* Add support for the AES-SHA2 enctypes, which allows sites to conform
+ to Suite B crypto requirements.
+
+krb5-1.15 changes by ticket ID
------------------------------
+5889 password history doesn't work with LDAP KDB
+6666 some non-default plugin directories don't build in 1.8 branch
+7852 kadmin.local's ktadd -norandkey does not handle multiple kvnos
+ in the KDB
+7985 Add krb5_get_init_creds_opt_set_pac_request
+8065 Renaming principals with LDAP KDB deletes the principal
+8277 iprop can choose wrong realm
+8278 Add krb5_expand_hostname() API
+8280 Fix impersonate_name to work with interposers
+8295 kdb5_ldap_stash_service_password() stash file logic needs tweaking
+8297 jsonwalker.py test fails
+8298 Audit Test fails when system has IPV6 address
+8299 Remove util/reconf
+8329 Only run export-check.pl in maintainer mode
+8344 Create KDC and kadmind log files with mode 0640
+8345 Remove nss libk5crypto implementation
+8348 Remove workaround when binding to udp addresses and pktinfo
+ isn't supported by the system
+8353 Replace MD5 use in rcache with SHA-256
+8354 Only store latest keys in key history entry
+8355 Add kadm5_setkey_principal_4 RPC to kadmin
+8364 Add get_principal_keys RPC to kadmin
+8365 Add the ability to lock down principal keys
+8366 Increase initial DNS buffer size
+8368 Remove hdb KDB module
+8371 Improve libkadm5 client RPC thread safety
+8372 Use cached S4U2Proxy tickets in GSSAPI
+8374 Interoperate with incomplete SPNEGO responses
+8375 Allow zero cksumtype in krb5_k_verify_checksum()
+8379 Add auth indicator handling to libkdb_ldap
+8381 Don't fall back to master on password read error
+8386 Add KDC pre-send and post-receive KDC hooks
+8388 Remove port 750 from the KDC default ports
+8389 Make profile includedir accept all *.conf files
+8391 Add kinit long option support for all platforms
+8393 Password Expiration "Never" Inconsistently Applied
+8394 Add debug message filtering to krb5_klog_syslog
+8396 Skip password prompt when running ksu as root
+8398 Add libk5crypto support for OpenSSL 1.1.0
+8399 Unconstify some krb5 GSS OIDs
+8404 Remove non-DFSG documentation
+8405 Work around python-ldap bug in kerberos.ldif
+8412 Link correct VS2015 C libraries for debug builds
+8414 Use library malloc for principal, policy entries
+8418 Add libkdb function to specialize principal's salt
+8419 Do not indicate deprecated GSS mechanisms
+8423 Add SPNEGO special case for NTLMSSP+MechListMIC
+8425 Add auth-indicator authdata module
+8426 test_check_allowed_to_delegate() should free unparsed princ output
+8428 Minimize timing leaks in PKINIT decryption
+8429 Fix Makefile for paths containing '+' character
+8434 Fix memory leak in old gssrpc authentication
+8436 Update libev sources to 4.22
+8446 Fix leak in key change operations
+8451 Add hints for -A flag to kdestroy
+8456 Add the kprop-port option to kadmind
+8462 Better handle failures to resolve client keytab
+8464 Set prompt type for OTP preauth prompt
+8465 Improve bad password inference in kinit
+8466 Rename k5-queue.h macros
+8471 Change KDC error for encrypted timestamp preauth
+8476 Restore recursive dump functionality
+8478 usability improvements for bttest
+8488 Stop generating doc/CHANGES
+8490 Add aes-sha2 enctype support
+8494 Add krb5_db_register_keytab()
+8496 Add KDC discovery from URI records
+8499 Use getrandom system call on recent Linux kernels
+8502 ret_boolean in profile_get_boolean() should be krb5_boolean *
+ instead of int *
+
+
Acknowledgements
----------------
@@ -198,6 +318,7 @@ reports, suggestions, and valuable resources:
Ravi Channavajhala
Srinivas Cheruku
Leonardo Chiquitto
+ Seemant Choudhary
Howard Chu
Andrea Cirulli
Christopher D. Clausen
@@ -252,6 +373,8 @@ reports, suggestions, and valuable resources:
Jeffrey Hutzelman
Wyllys Ingersoll
Holger Isenberg
+ Spencer Jackson
+ Diogenes S. Jesus
Pavel Jindra
Joel Johnson
Anders Kaseorg
@@ -300,6 +423,7 @@ reports, suggestions, and valuable resources:
Robert Relyea
Martin Rex
Jason Rogers
+ Matt Rogers
Nate Rosenblum
Solly Ross
Mike Roszkowski
More information about the cvs-krb5
mailing list