krb5 commit [krb5-1.16]: Update README for krb5-1.16
Greg Hudson
ghudson at mit.edu
Wed Oct 4 11:45:36 EDT 2017
https://github.com/krb5/krb5/commit/19a11016ac1638ee677fa44f15371ebad3f1c36a
commit 19a11016ac1638ee677fa44f15371ebad3f1c36a
Author: Greg Hudson <ghudson at mit.edu>
Date: Wed Oct 4 11:41:20 2017 -0400
Update README for krb5-1.16
README | 155 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 files changed, 154 insertions(+), 1 deletions(-)
diff --git a/README b/README
index 9e4f69f..0d07740 100644
--- a/README
+++ b/README
@@ -76,9 +76,142 @@ beginning with krb5-1.8.
Major changes in 1.16
---------------------
+Administrator experience:
+
+* The KDC can match PKINIT client certificates against the
+ "pkinit_cert_match" string attribute on the client principal entry,
+ using the same syntax as the existing "pkinit_cert_match" profile
+ option.
+
+* The ktutil addent command supports the "-k 0" option to ignore the
+ key version, and the "-s" option to use a non-default salt string.
+
+* kpropd supports a --pid-file option to write a pid file at startup,
+ when it is run in standalone mode.
+
+* The "encrypted_challenge_indicator" realm option can be used to
+ attach an authentication indicator to tickets obtained using FAST
+ encrypted challenge pre-authentication.
+
+* Localization support can be disabled at build time with the
+ --disable-nls configure option.
+
+Developer experience:
+
+* The kdcpolicy pluggable interface allows modules control whether
+ tickets are issued by the KDC.
+
+* The kadm5_auth pluggable interface allows modules to control whether
+ kadmind grants access to a kadmin request.
+
+* The certauth pluggable interface allows modules to control which
+ PKINIT client certificates can authenticate to which client
+ principals.
+
+* KDB modules can use the client and KDC interface IP addresses to
+ determine whether to allow an AS request.
+
+* GSS applications can query the bit strength of a krb5 GSS context
+ using the GSS_C_SEC_CONTEXT_SASL_SSF OID with
+ gss_inquire_sec_context_by_oid().
+
+* GSS applications can query the impersonator name of a krb5 GSS
+ credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with
+ gss_inquire_cred_by_oid().
+
+* kdcpreauth modules can query the KDC for the canonicalized requested
+ client principal name, or match a principal name against the
+ requested client principal name with canonicalization.
+
+Protocol evolution:
+
+* The client library will continue to try pre-authentication
+ mechanisms after most failure conditions.
+
+* The KDC will issue trivially renewable tickets (where the renewable
+ lifetime is equal to or less than the ticket lifetime) if requested
+ by the client, to be friendlier to scripts.
+
+* The client library will use a random nonce for TGS requests instead
+ of the current system time.
+
+* For the RC4 string-to-key or PAC operations, UTF-16 is supported
+ (previously only UCS-2 was supported).
+
+* When matching PKINIT client certificates, UPN SANs will be matched
+ correctly as UPNs, with canonicalization.
+
+User experience:
+
+* Dates after the year 2038 are accepted (provided that the platform
+ time facilities support them), through the year 2106.
+
+* Automatic credential cache selection based on the client realm will
+ take into account the fallback realm and the service hostname.
+
+* Referral and alternate cross-realm TGTs will not be cached, avoiding
+ some scenarios where they can be added to the credential cache
+ multiple times.
+
+* A German translation has been added.
+
+Code quality:
+
+* The build is warning-clean under clang with the configured warning
+ options.
+
+* The automated test suite runs cleanly under AddressSanitizer.
+
krb5-1.16 changes by ticket ID
------------------------------
+3349 Allow keytab entries to ignore the key version
+7647 let ktutil support non-default salts
+7877 Interleaved init_creds operations use same per-request preauth context
+8352 Year 2038 fixes
+8515 Add German translation
+8517 Add KRB5_TRACE calls for DNS lookups
+8518 Remove redeclaration of ttyname() in ksu
+8526 Constify service and hostname in krb5_mk_req()
+8527 Clean up memory handling in krb5_fwd_tgt_creds()
+8528 Improve PKINIT UPN SAN matching
+8529 Add OpenLDAP LDIF file for Kerberos schema
+8533 Bug in src/tests/responder.c
+8534 Add configure option to disable nls support
+8537 Preauthentication should continue after failure
+8539 Preauth tryagain should copy KDC cookie
+8544 Wrong PKCS11 PIN can trigger PKINIT draft9 code
+8548 Add OID to inquire GSS cred impersonator name
+8549 Use fallback realm for GSSAPI ccache selection
+8558 kvno memory leak (1.15.1)
+8561 Add certauth pluggable interface
+8562 Add the certauth dbmatch module
+8568 Convert some pkiDebug messages to TRACE macros
+8569 Add support to query the SSF of a GSS context
+8570 Add the client_name() kdcpreauth callback
+8571 Use the canonical client principal name for OTP
+8572 Un-deprecate krb5_auth_con_initivector()
+8575 Add FAST encrypted challenge auth indicator
+8577 Replace UCS-2 conversions with UTF-16
+8578 Add various bound checks
+8579 duplicate caching of some cross-realm TGTs
+8582 Use a random nonce in TGS requests
+8583 Pass client address to DAL audit_as_req
+8592 Parse all kadm5.acl fields at startup
+8595 Pluggable interface for kadmin authorization
+8597 acx_pthread.m4 needs to be updated
+8602 Make ccache name work for klist/kdestroy -A
+8603 Remove incomplete PKINIT OCSP support
+8606 Add KDC policy pluggable interface
+8607 kpropd should write a pidfile when started in standalone mode...
+8608 Fix AIX build issues
+8609 Renewed tickets can be marked renewable with no renewable endtime
+8610 Don't set ctime in KDC error replies
+8612 Bump bundled libverto for 0.3.0 release
+8613 Add hostname-based ccselect module
+8615 Abort client preauth on keyboard interrupt
+
+
Acknowledgements
----------------
@@ -168,7 +301,7 @@ Past and present members of the Kerberos Team at MIT:
Zhanna Tsitkova
Ted Ts'o
Marshall Vale
- Tom Yu
+ Taylor Yu
The following external contributors have provided code, patches, bug
reports, suggestions, and valuable resources:
@@ -191,7 +324,9 @@ reports, suggestions, and valuable resources:
Radoslav Bodo
Sumit Bose
Emmanuel Bouillon
+ Isaac Boukris
Philip Brown
+ Samuel Cabrero
Michael Calmer
Andrea Campi
Julien Chaffraix
@@ -215,7 +350,9 @@ reports, suggestions, and valuable resources:
Mark Deneen
Günther Deschner
John Devitofranceschi
+ Marc Dionne
Roland Dowdeswell
+ Dorian Ducournau
Viktor Dukhovni
Jason Edgecombe
Mark Eichin
@@ -230,6 +367,7 @@ reports, suggestions, and valuable resources:
Remi Ferrand
Paul Fertser
William Fiveash
+ Jacques Florent
Ãkos Frohner
Sebastian Galiano
Marcus Granado
@@ -239,8 +377,10 @@ reports, suggestions, and valuable resources:
Philip Guenther
Dominic Hargreaves
Robbie Harwood
+ John Hascall
Jakob Haufe
Matthieu Hautreux
+ Jochen Hein
Paul B. Henson
Jeff Hodges
Christopher Hogan
@@ -256,18 +396,26 @@ reports, suggestions, and valuable resources:
Spencer Jackson
Diogenes S. Jesus
Pavel Jindra
+ Brian Johannesmeyer
Joel Johnson
+ Alexander Karaivanov
Anders Kaseorg
+ Zentaro Kavanagh
+ Mubashir Kazia
W. Trevor King
Patrik Kis
+ Martin Kittel
Mikkel Kruse
Reinhard Kugler
Tomas Kuthan
Pierre Labastie
+ Chris Leick
Volker Lendecke
Jan iankko Lieskovsky
+ Todd Lipcon
Oliver Loch
Kevin Longfellow
+ Frank Lonigro
Jon Looney
Nuno Lopes
Ryan Lynch
@@ -301,6 +449,7 @@ reports, suggestions, and valuable resources:
Jonathan Reams
Jonathan Reed
Robert Relyea
+ Tony Reix
Martin Rex
Jason Rogers
Matt Rogers
@@ -308,10 +457,13 @@ reports, suggestions, and valuable resources:
Solly Ross
Mike Roszkowski
Guillaume Rousse
+ Joshua Schaeffer
Andreas Schneider
Tom Shaw
Jim Shi
Peter Shoults
+ Richard Silverman
+ Cel Skeggs
Simo Sorce
Michael Spang
Michael Ströder
@@ -338,6 +490,7 @@ reports, suggestions, and valuable resources:
Tsu-Phong Wu
Xu Qiang
Neng Xue
+ Zhaomo Yang
Nickolai Zeldovich
Hanz van Zijst
Gertjan Zwartjes
More information about the cvs-krb5
mailing list