krb5 commit: Update features list for 1.20
Greg Hudson
ghudson at mit.edu
Thu Mar 24 15:27:56 EDT 2022
https://github.com/krb5/krb5/commit/87fd0dd2ffb11033ed876bb6a7d7e6b099de851a
commit 87fd0dd2ffb11033ed876bb6a7d7e6b099de851a
Author: Greg Hudson <ghudson at mit.edu>
Date: Tue Mar 22 01:39:08 2022 -0400
Update features list for 1.20
doc/mitK5features.rst | 53 +++++++++++++++++++++++++++++++++++++++++++++++-
1 files changed, 51 insertions(+), 2 deletions(-)
diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst
index afaf531..ca2d6ef 100644
--- a/doc/mitK5features.rst
+++ b/doc/mitK5features.rst
@@ -19,8 +19,8 @@ Quick facts
License - :ref:`mitK5license`
Releases:
- - Latest stable: https://web.mit.edu/kerberos/krb5-1.18/
- - Supported: https://web.mit.edu/kerberos/krb5-1.17/
+ - Latest stable: https://web.mit.edu/kerberos/krb5-1.20/
+ - Supported: https://web.mit.edu/kerberos/krb5-1.19/
- Release cycle: approximately 12 months
Supported platforms \/ OS distributions:
@@ -594,6 +594,55 @@ User experience:
- Added kvno flags --out-cache, --no-store, and --cached-only
(inspired by Heimdal's kgetcred).
+Release 1.20
+
+* Administrator experience:
+
+ - Added a "disable_pac" realm relation to suppress adding PAC
+ authdata to tickets, for realms which do not need to support S4U
+ requests.
+
+ - Most credential cache types will use atomic replacement when a
+ cache is reinitialized using kinit or refreshed from the client
+ keytab.
+
+ - kprop can now propagate databases with a dump size larger than
+ 4GB, if both the client and server are upgraded.
+
+ - kprop can now work over NATs that change the destination IP
+ address, if the client is upgraded.
+
+* Developer experience:
+
+ - Updated the KDB interface. The sign_authdata() method is replaced
+ with the issue_pac() method, allowing KDB modules to add logon
+ info and other buffers to the PAC issued by the KDC.
+
+ - Host-based initiator names are better supported in the GSS krb5
+ mechanism.
+
+* Protocol evolution:
+
+ - Replaced AD-SIGNEDPATH authdata with minimal PACs.
+
+ - To avoid spurious replay errors, password change requests will not
+ be attempted over UDP until the attempt over TCP fails.
+
+ - PKINIT will sign its CMS messages with SHA-256 instead of SHA-1.
+
+* Code quality:
+
+ - Updated all code using OpenSSL to be compatible with OpenSSL 3.
+
+ - Reorganized the libk5crypto build system to allow the OpenSSL
+ back-end to pull in material from the builtin back-end depending
+ on the OpenSSL version.
+
+ - Simplified the PRNG logic to always use the platform PRNG.
+
+ - Converted the remaining Tcl tests to Python.
+
+
`Pre-authentication mechanisms`
- PW-SALT :rfc:`4120#section-5.2.7.3`
More information about the cvs-krb5
mailing list