krb5 commit [krb5-1.22]: Update README for krb5-1.22
ghudson at mit.edu
ghudson at mit.edu
Mon May 5 22:32:03 EDT 2025
https://github.com/krb5/krb5/commit/20792b7d752678e5d8c71abb0b92cabaec0a695b
commit 20792b7d752678e5d8c71abb0b92cabaec0a695b
Author: Greg Hudson <ghudson at mit.edu>
Date: Mon May 5 22:28:11 2025 -0400
Update README for krb5-1.22
README | 136 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 136 insertions(+)
diff --git a/README b/README
index 2c1478e2d..58c343ec2 100644
--- a/README
+++ b/README
@@ -100,9 +100,130 @@ encryption types has been removed.
Major changes in 1.22
---------------------
+User experience:
+
+* The libdefaults configuration variable "request_timeout" can be set
+ to limit the total timeout for KDC requests. When making a KDC
+ request, the client will now wait indefinitely (or until the request
+ timeout has elapsed) on a KDC which accepts a TCP connection,
+ without contacting any additional KDCs. Clients will make fewer DNS
+ queries in some configurations.
+
+* The realm configuration variable "sitename" can be set to cause the
+ client to query site-specific DNS records when making KDC requests.
+
+Administrator experience:
+
+* Principal aliases are supported in the DB2 and LMDB KDB modules and
+ in the kadmin protocol. (The LDAP KDB module has supported aliases
+ since release 1.7.)
+
+* UNIX domain sockets are supported for the Kerberos and kpasswd
+ protocols.
+
+* systemd socket activation is supported for krb5kdc and kadmind.
+
+Developer experience:
+
+* KDB modules can be be implemented in terms of other modules using
+ the new krb5_db_load_module() function.
+
+* The profile library supports the modification of empty profiles and
+ the copying of modified profiles, making it possible to construct an
+ in-memory profile and pass it to krb5_init_context_profile().
+
+* GSS-API applications can pass the GSS_C_CHANNEL_BOUND flag to
+ gss_init_sec_context() to request strict enforcement of channel
+ bindings by the acceptor.
+
+Protocol evolution:
+
+* The PKINIT preauth module supports elliptic curve client
+ certificates, ECDH key exchange, and the Microsoft paChecksum2
+ field.
+
+* The IAKERB implementation has been changed to comply with the most
+ recent draft standard and to support realm discovery.
+
+* Message-Authenticator is supported in the RADIUS implementation used
+ by the OTP kdcpreauth module.
+
+Code quality:
+
+* Removed old-style function declarations, to accomodate compilers
+ which have removed support for them.
+
+* Added OSS-Fuzz to the project's continuous integration
+ infrastructure.
+
+* Rewrote the GSS per-message token parsing code for improved safety.
+
krb5-1.22 changes by ticket ID
------------------------------
+7721 Primary KDC lookups happen sooner than necessary
+7899 Client waits before moving on after KDC_ERR_SVC_UNAVAILABLE
+8618 ksu doesn't exit nonzero
+9094 Get arm64-windows builds working
+9095 PKINIT ECDH support
+9096 Enable PKINIT if at least one group is available
+9100 Add ecdsa-with-sha512/256 to supportedCMSTypes
+9105 Wait indefinitely on KDC TCP connections
+9106 Add request_timeout configuration parameter
+9108 Remove PKINIT RSA support
+9110 profile library null dereference when modifying empty profile
+9111 Correct PKINIT EC cert signature metadata
+9112 Support PKCS11 EC client certs in PKINIT
+9113 Improve PKCS11 error reporting in PKINIT
+9114 Build fails with link-time optimization
+9116 Improve error message for DES kadmin/history key
+9118 profile write operation interactions with reloading
+9119 Make profile_copy() work on dirty profiles
+9120 profile final flag limitations
+9121 Don't flush libkrb5 context profiles
+9122 Add GSS flag to include KERB_AP_OPTIONS_CBT
+9123 Correct IAKERB protocol implementation
+9124 Support site-local KDC discovery via DNS
+9126 Handle empty initial buffer in IAKERB initiator
+9130 make krb5_get_default_config_files public
+9131 Adjust removed cred detection in FILE ccache
+9132 Change krb5_get_credentials() endtime behavior
+9133 Add acceptor-side IAKERB realm discovery
+9135 Replace Windows installer FilesInUse dialog text
+9139 Block library unloading to avoid finalizer races
+9141 Fix krb5_crypto_us_timeofday() microseconds check
+9142 Generate and verify message MACs in libkrad
+9143 Fix memory leak in PAC checksum verification
+9144 Fix potential PAC processing crash
+9145 Prevent late initialization of GSS error map
+9146 Allow null keyblocks in IOV checksum functions
+9147 Add numeric constants to krad.h and use them
+9148 Fix krb5_ldap_list_policy() filtering loop
+9149 Use getentropy() when available
+9151 Add kadmind support for disabling listening
+9152 Default kdc_tcp_listen to kdc_listen value
+9153 Fix LDAP module leak on authentication error
+9154 Components of the X509_user_identity string cannot contain ':'
+9155 UNIX domain socket support
+9156 Allow KDB module stacking
+9157 Add support for systemd socket activation
+9158 Set missing mask flags for kdb5_util operations
+9159 Prevent overflow when calculating ulog block size
+9160 Allow only one salt type per enctype in key data
+9161 Improve ulog block resize efficiency
+9162 Build PKINIT on Windows
+9163 Add alias support
+9164 Add database format documentation
+9165 Display NetBIOS ticket addresses in klist
+9166 Add PKINIT paChecksum2 from MS-PKCA v20230920
+9167 Add initiator-side IAKERB realm discovery
+9168 Fix IAKERB accept_sec_context null pointer crash
+9169 Fix IAKERB error handling
+9170 Avoid gss_inquire_attrs_for_mech() null outputs
+9171 Fix getsockname() call in Windows localaddr
+9172 Check lengths in xdr_krb5_key_data()
+9173 Limit -keepold for self-service key changes
+
Acknowledgements
----------------
@@ -219,6 +340,7 @@ reports, suggestions, and valuable resources:
Toby Blake
Radoslav Bodo
Alexander Bokovoy
+ Zoltan Borbely
Sumit Bose
Emmanuel Bouillon
Isaac Boukris
@@ -229,6 +351,7 @@ reports, suggestions, and valuable resources:
Michael Calmer
Andrea Campi
Julien Chaffraix
+ Jacob Champion
Puran Chand
Ravi Channavajhala
Srinivas Cheruku
@@ -239,6 +362,7 @@ reports, suggestions, and valuable resources:
Andrea Cirulli
Christopher D. Clausen
Kevin Coffman
+ Gerald Combs
Simon Cooper
Sylvain Cortes
Ian Crowther
@@ -248,6 +372,7 @@ reports, suggestions, and valuable resources:
Nalin Dahyabhai
Mark Davies
Dennis Davis
+ Rull Deef
Alex Dehnert
Misty De Meo
Mark Deneen
@@ -265,6 +390,7 @@ reports, suggestions, and valuable resources:
Peter Eriksson
Juha Erkkilä
Gilles Espinasse
+ Valery Fedorenko
Sergey Fedorov
Ronni Feldt
Bill Fellows
@@ -278,6 +404,7 @@ reports, suggestions, and valuable resources:
Oliver Freyermuth
Ãkos Frohner
Sebastian Galiano
+ Ilya Gladyshev
Marcus Granado
Dylan Gray
Norm Green
@@ -285,6 +412,7 @@ reports, suggestions, and valuable resources:
Helmut Grohne
Steve Grubb
Philip Guenther
+ Feng Guo
Timo Gurr
Dominic Hargreaves
Robbie Harwood
@@ -324,6 +452,7 @@ reports, suggestions, and valuable resources:
Martin Kittel
Thomas Klausner
Tomasz KÅ‚oczko
+ Ivan Korytov
Matthew Krupcale
Mikkel Kruse
Reinhard Kugler
@@ -356,15 +485,19 @@ reports, suggestions, and valuable resources:
Alexey Melnikov
Ivan A. Melnikov
Franklyn Mendez
+ Stefan Metzmacher
Mantas MikulÄ—nas
Markus Moeller
Kyle Moffett
+ Jon Moore
Paul Moore
Keiichi Mori
Michael Morony
+ Robert Morris
Sam Morris
Zbysek Mraz
Edward Murrell
+ Bahaa Naamneh
Joshua Neuheisel
Nikos Nikoleris
Demi Obenour
@@ -402,6 +535,7 @@ reports, suggestions, and valuable resources:
Jens Schleusener
Ryan Schmidt
Andreas Schneider
+ Eli Schwartz
Paul Seyfert
Tom Shaw
Jim Shi
@@ -410,11 +544,13 @@ reports, suggestions, and valuable resources:
Richard Silverman
Cel Skeggs
Simo Sorce
+ Anthony Sottile
Michael Spang
Michael Ströder
Bjørn Tore Sund
Ondřej Surý
Joseph Sutton
+ Alexey Tikhonov
Joe Travaglini
Sergei Trofimovich
Greg Troxel
More information about the cvs-krb5
mailing list