krb5 commit: Update features list for 1.19

Greg Hudson ghudson at mit.edu
Mon Nov 23 17:46:06 EST 2020


https://github.com/krb5/krb5/commit/f2203972ae4311a530282fccec4effe1dc3768f5
commit f2203972ae4311a530282fccec4effe1dc3768f5
Author: Greg Hudson <ghudson at mit.edu>
Date:   Sun Nov 22 12:41:22 2020 -0500

    Update features list for 1.19

 doc/mitK5features.rst |   61 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 61 insertions(+), 0 deletions(-)

diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst
index 8d6041d..4954bb3 100644
--- a/doc/mitK5features.rst
+++ b/doc/mitK5features.rst
@@ -533,6 +533,67 @@ Release 1.18
   - The test suite incorporates soft-pkcs11 so that PKINIT PKCS11
     support can always be tested.
 
+Release 1.19
+
+* Administrator experience:
+
+  - When a client keytab is present, the GSSAPI krb5 mech will refresh
+    credentials even if the current credentials were acquired
+    manually.
+
+  - It is now harder to accidentally delete the K/M entry from a KDB.
+
+* Developer experience:
+
+  - gss_acquire_cred_from() now supports the "password" and "verify"
+    options, allowing credentials to be acquired via password and
+    verified using a keytab key.
+
+  - When an application accepts a GSS security context, the new
+    GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor
+    both provided matching channel bindings.
+
+  - Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self
+    requests to identify the desired client principal by certificate.
+
+  - PKINIT certauth modules can now cause the hw-authent flag to be
+    set in issued tickets.
+
+  - The krb5_init_creds_step() API will now issue the same password
+    expiration warnings as krb5_get_init_creds_password().
+
+* Protocol evolution:
+
+  - Added client and KDC support for Microsoft's Resource-Based
+    Constrained Delegation, which allows cross-realm S4U2Proxy
+    requests.  A third-party database module is required for KDC
+    support.
+
+  - kadmin/admin is now the preferred server principal name for kadmin
+    connections, and the host-based form is no longer created by
+    default.  The client will still try the host-based form as a
+    fallback.
+
+  - Added client and server support for Microsoft's
+    KERB_AP_OPTIONS_CBT extension, which causes channel bindings to be
+    required for the initiator if the acceptor provided them.  The
+    client will send this option if the client_aware_gss_bindings
+    profile option is set.
+
+User experience:
+
+  - The default setting of dns_canonicalize_realm is now "fallback".
+    Hostnames provided from applications will be tried in principal
+    names as given (possibly with shortname qualification), falling
+    back to the canonicalized name.
+
+  - kinit will now issue a warning if the des3-cbc-sha1 encryption
+    type is used in the reply.  This encryption type will be
+    deprecated and removed in future releases.
+
+  - Added kvno flags --out-cache, --no-store, and --cached-only
+    (inspired by Heimdal's kgetcred).
+
 `Pre-authentication mechanisms`
 
 - PW-SALT                                         :rfc:`4120#section-5.2.7.3`


More information about the cvs-krb5 mailing list