krb5-1.17.1 is released
Greg Hudson
ghudson at mit.edu
Thu Dec 12 00:24:17 EST 2019
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.17.1. Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.
RETRIEVING KERBEROS 5 RELEASE 1.17.1
====================================
You may retrieve the Kerberos 5 Release 1.17.1 source from the
following URL:
https://kerberos.org/dist/
(The distribution URL has changed from previous releases. The same
contents are available at the old URL.)
The homepage for the krb5-1.17.1 release is:
https://web.mit.edu/kerberos/krb5-1.17/
Further information about Kerberos 5 may be found at the following
URL:
https://web.mit.edu/kerberos/
and at the MIT Kerberos Consortium web site:
https://www.kerberos.org/
Feedback based on experiences with the SPAKE pre-authentication
mechanism and the LMDB-based KDB module would be greatly appreciated,
as it will help us decide when these features are ready to become
defaults in a future release. Please send feedback to
kerberos at mit.edu.
DES transition
==============
The Data Encryption Standard (DES) is widely recognized as weak. The
krb5-1.7 release contains measures to encourage sites to migrate away
from using single-DES cryptosystems. Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.
Major changes in 1.17.1 (2019-12-11)
====================================
This is a bug fix release.
* Fix a bug preventing "addprinc -randkey -kvno" from working in
kadmin.
* Fix a bug preventing time skew correction from working when a KCM
credential cache is used.
Major changes in 1.17 (2019-01-08)
==================================
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJd8c6pAAoJEAy6CFdfg3LfIMgP/jHyj7olxEOqiQNi/36AqDAW
vQdKUwSMo33cZQrP8pIc2XsAY797fxX/taSMYmtw5tGLGG27gEsRXSnxZACzeTGZ
gnfQaGn68ipAnO1hTAHMzm6kcu4egwmn3tH/gl7StmX16vFdcpFMDhBvSVlSFzhA
WlmB0omo9zQS2I9nVDXva2mw5cAe0plJHVvGGtNjrH9K4kkUoYG9zM63Y59nYbdu
6kZp3SxsoOG7qF/8p+uyFjDPgS6JYV1MW+M0p+dHrfOmg6DgB2UsoYBmXTznOgUo
9Wj6exqaratbNn89xcLe9x7KJl6rEho+CxqfVeO8Q4XTUqDeZDwbQKOXVGZ5EaHM
CvBCXRAyRtgex/PDHV1AVdCykaNp1d/Xgtyz9x9G4Mfn19ZPJqGyRC5AJRewJUHB
XwDfsk++OGmN0JodC8wqTdPJRgCeetkVDHd9mBCkx06dsAOQg/rC8pCmCPaOQZdr
b3ZkItQGp4s6Rf+6/GNcrcMVlbchGUM3oxhf74N7YRehupD5VAs2E10ZTSKkZwsd
tdkVUH+k+8Py2myHheTQLpj6t6l2WQ9NjG6EL5nLzv5hULi/knSh0ClcalKtCk5p
FlRUpso2kCkX/19BRnKgEyO/iNyAm+cvVUYmRGyLJFXa8+pl7Pk5YNJ8jtXmRDnr
w+H+tLDmz4yYqUSTfUqC
=save
-----END PGP SIGNATURE-----
More information about the kerberos-announce
mailing list