krb5 commit [krb5-1.20]: Update README for krb5-1.20
Greg Hudson
ghudson at mit.edu
Thu Mar 24 15:28:04 EDT 2022
https://github.com/krb5/krb5/commit/bc560fb1d3bc9e29a30a26176bae3a795b133687
commit bc560fb1d3bc9e29a30a26176bae3a795b133687
Author: Greg Hudson <ghudson at mit.edu>
Date: Wed Mar 23 18:08:01 2022 -0400
Update README for krb5-1.20
README | 134 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
1 files changed, 130 insertions(+), 4 deletions(-)
diff --git a/README b/README
index 9a3c359..f343250 100644
--- a/README
+++ b/README
@@ -64,18 +64,128 @@ and using the "Guest Login" button. Please note that the web
interface to our bug database is read-only for guests, and the primary
way to interact with our bug database is via email.
-DES no longer supported
------------------------
+PAC transition
+--------------
+
+Beginning with release 1.20, the KDC will include minimal PACs in
+tickets instead of AD-SIGNEDPATH authdata. S4U requests (protocol
+transition and constrained delegation) must now contain valid PACs in
+the incoming tickets. If only some KDCs in a realm have been upgraded
+across version 1.20, the upgraded KDCs will reject S4U requests
+containing tickets from non-upgraded KDCs and vice versa.
+
+Triple-DES transition
+---------------------
+
+Beginning with the krb5-1.19 release, a warning will be issued if
+initial credentials are acquired using the des3-cbc-sha1 encryption
+type. In future releases, this encryption type will be disabled by
+default and eventually removed.
-Beginning with the krb5-1.18 release, single-DES encryption types are
-no longer supported.
+Beginning with the krb5-1.18 release, single-DES encryption types have
+been removed.
Major changes in 1.20
---------------------
+Administrator experience:
+
+* Added a "disable_pac" realm relation to suppress adding PAC authdata
+ to tickets, for realms which do not need to support S4U requests.
+
+* Most credential cache types will use atomic replacement when a cache
+ is reinitialized using kinit or refreshed from the client keytab.
+
+* kprop can now propagate databases with a dump size larger than 4GB,
+ if both the client and server are upgraded.
+
+* kprop can now work over NATs that change the destination IP address,
+ if the client is upgraded.
+
+Developer experience:
+
+* Updated the KDB interface. The sign_authdata() method is replaced
+ with the issue_pac() method, allowing KDB modules to add logon info
+ and other buffers to the PAC issued by the KDC.
+
+* Host-based initiator names are better supported in the GSS krb5
+ mechanism.
+
+Protocol evolution:
+
+* Replaced AD-SIGNEDPATH authdata with minimal PACs.
+
+* To avoid spurious replay errors, password change requests will not
+ be attempted over UDP until the attempt over TCP fails.
+
+* PKINIT will sign its CMS messages with SHA-256 instead of SHA-1.
+
+Code quality:
+
+* Updated all code using OpenSSL to be compatible with OpenSSL 3.
+
+* Reorganized the libk5crypto build system to allow the OpenSSL
+ back-end to pull in material from the builtin back-end depending on
+ the OpenSSL version.
+
+* Simplified the PRNG logic to always use the platform PRNG.
+
+* Converted the remaining Tcl tests to Python.
+
krb5-1.20 changes by ticket ID
------------------------------
+7707 Credential cache API does not support atomic reinitialization
+8010 gss_store_cred should initialize ccache and work with collections
+8970 Wrong Encryption types shown in MIT Kerberos Ticket Manager on Windows
+8976 all-liblinks build target fails when symlinks not supported
+8977 Allow kprop over more types of NATs
+8978 Support host-based GSS initiator names
+8980 Add APIs for marshalling credentials
+8981 Documentation__krb5.conf
+8983 Infer name type when creating principals
+8988 Only require one valid pkinit anchor/pool value
+8990 Add KCM_OP_GET_CRED_LIST for faster iteration
+8991 Fix PKINIT memory leaks
+8994 Fix gss-krb5 handling of high sequence numbers
+8995 KCM interop issue with KRB5_TC_ flags
+8997 Use KCM_OP_RETRIEVE in KCM client
+8998 Simplify krb5_cccol_have_content()
+8999 Add additional KRB5_TRACE points
+9000 Fix multiple UPN handling in PKINIT client certs
+9002 Check for undefined kadm5 policy mask bits
+9003 Add duplicate check to kadm5_create_policy()
+9009 Update IRC pointer in resources.rst
+9010 Add MAXHOSTNAME guard in Windows public header
+9011 Fix some principal realm canonicalization cases
+9012 Allow kinit with keytab to defer canonicalization
+9013 Fix kadmin -k with fallback or referral realm
+9017 Clarify and correct interposer plugin docs
+9019 make check fails: OSError: AF_UNIX path too long
+9022 Potential integer overflows
+9024 Find gss_get_mic_iov extensions in GSS modules
+9025 Use version-independent OpenLDAP links in docs
+9027 Add OpenLDAP advice to princ_dns.rst
+9028 Constify name field in four plugin vtables
+9031 Fix verification of RODC-issued PAC KDC signature
+9032 Always use platform PRNG
+9034 Use builtin MD4, RC4 for OpenSSL 3.0
+9035 Avoid use after free during libkrad cleanup
+9036 Support larger RADIUS attributes in libkrad
+9037 Race condition in krb5_set_password()
+9038 Issue an error from KDC on S4U2Self failures
+9039 Fix PAC handling of authtimes after y2038
+9040 Use 14 instead of 9 for unkeyed SHA-1 checksum
+9041 Add PA-REDHAT-IDP-OAUTH2 padata type
+9042 Don't fail krb5_cc_select() for no default realm
+9043 Add PAC ticket signature APIs
+9044 Replace AD-SIGNEDPATH with minimal PACs
+9047 Avoid passing null for asprintf strings
+9048 Pass client flag to KDB for client preauth match
+9049 Add replace_reply_key kdcpreauth callback
+9050 Implement replaced_reply_key input to issue_pac()
+9051 Clarify certauth interface documentation
+
Acknowledgements
----------------
@@ -195,6 +305,8 @@ reports, suggestions, and valuable resources:
Sumit Bose
Emmanuel Bouillon
Isaac Boukris
+ Ulf Bremer
+ Pavel Březina
Philip Brown
Samuel Cabrero
Michael Calmer
@@ -226,6 +338,7 @@ reports, suggestions, and valuable resources:
John Devitofranceschi
Marc Dionne
Roland Dowdeswell
+ Ken Dreyer
Dorian Ducournau
Viktor Dukhovni
Jason Edgecombe
@@ -244,6 +357,7 @@ reports, suggestions, and valuable resources:
Frank Filz
William Fiveash
Jacques Florent
+ Oliver Freyermuth
Ãkos Frohner
Sebastian Galiano
Marcus Granado
@@ -261,6 +375,7 @@ reports, suggestions, and valuable resources:
Matthieu Hautreux
Jochen Hein
Paul B. Henson
+ Kihong Heo
Jeff Hodges
Christopher Hogan
Love Hörnquist Åstrand
@@ -275,6 +390,7 @@ reports, suggestions, and valuable resources:
Holger Isenberg
Spencer Jackson
Diogenes S. Jesus
+ Mike Jetzer
Pavel Jindra
Brian Johannesmeyer
Joel Johnson
@@ -288,6 +404,7 @@ reports, suggestions, and valuable resources:
Patrik Kis
Martin Kittel
Thomas Klausner
+ Tomasz KÅ‚oczko
Matthew Krupcale
Mikkel Kruse
Reinhard Kugler
@@ -316,7 +433,9 @@ reports, suggestions, and valuable resources:
Nathaniel McCallum
Greg McClement
Cameron Meadors
+ Vipul Mehta
Alexey Melnikov
+ Ivan A. Melnikov
Franklyn Mendez
Mantas MikulÄ—nas
Markus Moeller
@@ -324,6 +443,7 @@ reports, suggestions, and valuable resources:
Paul Moore
Keiichi Mori
Michael Morony
+ Sam Morris
Zbysek Mraz
Edward Murrell
Joshua Neuheisel
@@ -351,6 +471,7 @@ reports, suggestions, and valuable resources:
Tony Reix
Martin Rex
Pat Riehecky
+ Julien Rische
Jason Rogers
Matt Rogers
Nate Rosenblum
@@ -360,6 +481,7 @@ reports, suggestions, and valuable resources:
Joshua Schaeffer
Alexander Scheel
Jens Schleusener
+ Ryan Schmidt
Andreas Schneider
Paul Seyfert
Tom Shaw
@@ -373,12 +495,15 @@ reports, suggestions, and valuable resources:
Michael Ströder
Bjørn Tore Sund
Ondřej Surý
+ Joseph Sutton
Joe Travaglini
Sergei Trofimovich
Greg Troxel
+ Fraser Tweedale
Tim Uglow
Rathor Vipin
Denis Vlasenko
+ Thomas Wagner
Jorgen Wahlsten
Stef Walter
Max (Weijun) Wang
@@ -400,6 +525,7 @@ reports, suggestions, and valuable resources:
Xu Qiang
Neng Xue
Zhaomo Yang
+ Tianjiao Yin
Nickolai Zeldovich
Bean Zhang
Hanz van Zijst
More information about the cvs-krb5
mailing list