krb5 commit: Update features list for 1.16

Greg Hudson ghudson at mit.edu
Mon Dec 4 11:03:10 EST 2017


https://github.com/krb5/krb5/commit/de219d2bea7a099d038126d652422fc4068e48b1
commit de219d2bea7a099d038126d652422fc4068e48b1
Author: Greg Hudson <ghudson at mit.edu>
Date:   Wed Nov 29 16:46:21 2017 -0500

    Update features list for 1.16
    
    ticket: 8623 (new)
    target_version: 1.16
    tags: pullup

 doc/mitK5features.rst |   93 +++++++++++++++++++++++++++++++++++++++++++++++-
 1 files changed, 91 insertions(+), 2 deletions(-)

diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst
index 122d16c..9df7e34 100644
--- a/doc/mitK5features.rst
+++ b/doc/mitK5features.rst
@@ -19,8 +19,8 @@ Quick facts
 License - :ref:`mitK5license`
 
 Releases:
-    - Latest stable: http://web.mit.edu/kerberos/krb5-1.15/
-    - Supported: http://web.mit.edu/kerberos/krb5-1.14/
+    - Latest stable: http://web.mit.edu/kerberos/krb5-1.16/
+    - Supported: http://web.mit.edu/kerberos/krb5-1.15/
     - Release cycle: 9 -- 12 months
 
 Supported platforms \/ OS distributions:
@@ -309,6 +309,95 @@ Release 1.15
   - Add support for the AES-SHA2 enctypes, which allows sites to
     conform to Suite B crypto requirements.
 
+Release 1.16
+
+* Administrator experience:
+
+  - The KDC can match PKINIT client certificates against the
+    "pkinit_cert_match" string attribute on the client principal
+    entry, using the same syntax as the existing "pkinit_cert_match"
+    profile option.
+
+  - The ktutil addent command supports the "-k 0" option to ignore the
+    key version, and the "-s" option to use a non-default salt string.
+
+  - kpropd supports a --pid-file option to write a pid file at
+    startup, when it is run in standalone mode.
+
+  - The "encrypted_challenge_indicator" realm option can be used to
+    attach an authentication indicator to tickets obtained using FAST
+    encrypted challenge pre-authentication.
+
+  - Localization support can be disabled at build time with the
+    --disable-nls configure option.
+
+* Developer experience:
+
+  - The kdcpolicy pluggable interface allows modules control whether
+    tickets are issued by the KDC.
+
+  - The kadm5_auth pluggable interface allows modules to control
+    whether kadmind grants access to a kadmin request.
+
+  - The certauth pluggable interface allows modules to control which
+    PKINIT client certificates can authenticate to which client
+    principals.
+
+  - KDB modules can use the client and KDC interface IP addresses to
+    determine whether to allow an AS request.
+
+  - GSS applications can query the bit strength of a krb5 GSS context
+    using the GSS_C_SEC_CONTEXT_SASL_SSF OID with
+    gss_inquire_sec_context_by_oid().
+
+  - GSS applications can query the impersonator name of a krb5 GSS
+    credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with
+    gss_inquire_cred_by_oid().
+
+  - kdcpreauth modules can query the KDC for the canonicalized
+    requested client principal name, or match a principal name against
+    the requested client principal name with canonicalization.
+
+* Protocol evolution:
+
+  - The client library will continue to try pre-authentication
+    mechanisms after most failure conditions.
+
+  - The KDC will issue trivially renewable tickets (where the
+    renewable lifetime is equal to or less than the ticket lifetime)
+    if requested by the client, to be friendlier to scripts.
+
+  - The client library will use a random nonce for TGS requests
+    instead of the current system time.
+
+  - For the RC4 string-to-key or PAC operations, UTF-16 is supported
+    (previously only UCS-2 was supported).
+
+  - When matching PKINIT client certificates, UPN SANs will be matched
+    correctly as UPNs, with canonicalization.
+
+* User experience:
+
+  - Dates after the year 2038 are accepted (provided that the platform
+    time facilities support them), through the year 2106.
+
+  - Automatic credential cache selection based on the client realm
+    will take into account the fallback realm and the service
+    hostname.
+
+  - Referral and alternate cross-realm TGTs will not be cached,
+    avoiding some scenarios where they can be added to the credential
+    cache multiple times.
+
+  - A German translation has been added.
+
+* Code quality:
+
+  - The build is warning-clean under clang with the configured warning
+    options.
+
+  - The automated test suite runs cleanly under AddressSanitizer.
+
 `Pre-authentication mechanisms`
 
 - PW-SALT                                         :rfc:`4120#section-5.2.7.3`


More information about the cvs-krb5 mailing list