krb5-1.15 is released
Tom Yu
tlyu at mit.edu
Fri Dec 2 19:04:24 EST 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.15. Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.
RETRIEVING KERBEROS 5 RELEASE 1.15
====================================
You may retrieve the Kerberos 5 Release 1.15 source from the
following URL:
http://web.mit.edu/kerberos/dist/
The homepage for the krb5-1.15 release is:
http://web.mit.edu/kerberos/krb5-1.15/
Further information about Kerberos 5 may be found at the following
URL:
http://web.mit.edu/kerberos/
and at the MIT Kerberos Consortium web site:
http://www.kerberos.org/
DES transition
==============
The Data Encryption Standard (DES) is widely recognized as weak. The
krb5-1.7 release contains measures to encourage sites to migrate away
- From using single-DES cryptosystems. Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.
Major changes in 1.15 (2016-12-01)
==================================
Administrator experience:
* Add support to kadmin for remote extraction of current keys without
changing them (requires a special kadmin permission that is excluded
from the wildcard permission), with the exception of highly
protected keys.
* Add a lockdown_keys principal attribute to prevent retrieval of the
principal's keys (old or new) via the kadmin protocol. In newly
created databases, this attribute is set on the krbtgt and kadmin
principals.
* Restore recursive dump capability for DB2 back end, so sites can
more easily recover from database corruption resulting from power
failure events.
* Add DNS auto-discovery of KDC and kpasswd servers from URI records,
in addition to SRV records. URI records can convey TCP and UDP
servers and master KDC status in a single DNS lookup, and can also
point to HTTPS proxy servers.
* Add support for password history to the LDAP back end.
* Add support for principal renaming to the LDAP back end.
* Use the getrandom system call on supported Linux kernels to avoid
blocking problems when getting entropy from the operating system.
* In the PKINIT client, use the correct DigestInfo encoding for PKCS
#1 signatures, so that some especially strict smart cards will work.
Code quality:
* Clean up numerous compilation warnings.
* Remove various infrequently built modules, including some preauth
modules that were not built by default.
Developer experience:
* Add support for building with OpenSSL 1.1.
* Use SHA-256 instead of MD5 for (non-cryptographic) hashing of
authenticators in the replay cache. This helps sites that must
build with FIPS 140 conformant libraries that lack MD5.
Protocol evolution:
* Add support for the AES-SHA2 enctypes, which allows sites to conform
to Suite B crypto requirements.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAEBAgAGBQJYQgwIAAoJEKMvF/0AVcMF1jEL/A+SlQfSbilIj13n2GHp2fHK
2mdk7GfwLQdjvR7OIb2aBZCGdZAG9QqNtclVWv/JOdPZYRT6mn0Odvnu4ZdAD2RX
B2hhqAXIt1GX+bofGa+Hny9yZUBmUT7px2dnsH4mD1ew25BJMZcUN0xWgdRgl+4X
zQDB5TxH6gbq3MPL/A7ox2tKUJnWhxu3uRw0gVCXVhJxf5bxjfILURRmIFX3zsUS
B6onbas2J9vFzL/L1S1RtRJsu1BuOHktRj1ZJ0CxBHW+X4Ynm7GmWyPTFRl26hbc
q95crniciccguaE39KladaswuOpM6I7ZhV25cGoHfhg2/in1komxk4yqrx5bESCi
rxv/A089xuu+vzf/O8bHvKZscaMhqY/uqAqXHjrDWb4KSxdckW+oCGz6NjoxY7pk
+FE5972dkvkByZewcTQKGJxuZItJPO3+1oaQ4M+MYvxIOxmFSdFrkvpaciRzhxRB
6RabmGBMWBVglvVw3/OqWQU18KOMdiZPqTMJGzt8zQ==
=uxbK
-----END PGP SIGNATURE-----
More information about the kerberos-announce
mailing list