krb5-1.18.1 is released
Greg Hudson
ghudson at mit.edu
Mon Apr 13 21:33:10 EDT 2020
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.18.1. Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.
RETRIEVING KERBEROS 5 RELEASE 1.18.1
====================================
You may retrieve the Kerberos 5 Release 1.18.1 source from the
following URL:
https://kerberos.org/dist/
The homepage for the krb5-1.18.1 release is:
https://web.mit.edu/kerberos/krb5-1.18/
Further information about Kerberos 5 may be found at the following
URL:
https://web.mit.edu/kerberos/
DES no longer supported
=======================
Beginning with the krb5-1.18 release, single-DES encryption types are
no longer supported.
Major changes in 1.18.1 (2020-04-13)
====================================
This is a bug fix release.
* Fix a crash when qualifying short hostnames when the system has no
primary DNS domain.
* Fix a regression when an application imports "service@" as a GSS
host-based name for its acceptor credential handle.
* Fix KDC enforcement of auth indicators when they are modified by the
KDB module.
* Fix removal of require_auth string attributes when the LDAP KDB
module is used.
* Fix a compile error when building with musl libc on Linux.
* Fix a compile error when building with gcc 4.x.
* Change the KDC constrained delegation precedence order for
consistency with Windows KDCs.
Major changes in 1.18 (2020-02-12)
==================================
Administrator experience:
* Remove support for single-DES encryption types.
* Change the replay cache format to be more efficient and robust.
Replay cache filenames using the new format end with ".rcache2" by
default.
* setuid programs will automatically ignore environment variables that
normally affect krb5 API functions, even if the caller does not use
krb5_init_secure_context().
* Add an "enforce_ok_as_delegate" krb5.conf relation to disable
credential forwarding during GSSAPI authentication unless the KDC
sets the ok-as-delegate bit in the service ticket.
* Use the permitted_enctypes krb5.conf setting as the default value
for default_tkt_enctypes and default_tgs_enctypes.
Developer experience:
* Implement krb5_cc_remove_cred() for all credential cache types.
* Add the krb5_pac_get_client_info() API to get the client account
name from a PAC.
Protocol evolution:
* Add KDC support for S4U2Self requests where the user is identified
by X.509 certificate. (Requires support for certificate lookup from
a third-party KDB module.)
* Remove support for an old ("draft 9") variant of PKINIT.
* Add support for Microsoft NegoEx. (Requires one or more third-party
GSS modules implementing NegoEx mechanisms.)
* Honor the transited-policy-checked ticket flag on application
servers, eliminating the requirement to configure capaths on
servers in some scenarios.
User experience:
* Add support for "dns_canonicalize_hostname=fallback""`, causing
host-based principal names to be tried first without DNS
canonicalization, and again with DNS canonicalization if the
un-canonicalized server is not found.
* Expand single-component hostnames in host-based principal names when
DNS canonicalization is not used, adding the system's first DNS
search path as a suffix. Add a "qualify_shortname" krb5.conf
relation to override this suffix or disable expansion.
Code quality:
* The libkrb5 serialization code (used to export and import krb5 GSS
security contexts) has been simplified and made type-safe.
* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
messages has been revised to conform to current coding practices.
* The test suite has been modified to work with macOS System Integrity
Protection enabled.
* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11
support can always be tested.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJelQbvAAoJEAy6CFdfg3LfzjMP/jVVKN+yytysLvgaxgl4owYA
bg8aJkyNrxec2w9d/ySUA0KvCwhI8g9Hg7I/fhlYKn4x5EXaPJ8CNTYFSO7FiOXS
fCrE23gv25x43jcnxdIwGwZ1YJh7vUrLb6GGSDW96exdfbZAGdE8M6UTeUOYQLxc
h6e1j79BqT+j2Bc5y0+UbA6X0HoKtLd4gWcrtVQ3CH1vP4Ln8kUVt+O+LuW6l/5k
3+8MHLaHcqtez5oW82K3uj2PXlEv+43MS17mkXww9dl7HMWWn83e55jfpYIhy5bW
+Xh+OPDvPfOZA3DEt7Q3XCG3j6V7bf3oJ5FyoBGDAOz1yxq+pVFnpJH8crebHyor
v5uRZyXFvDKvsCsMYV6BUauF3lTVarBo09UroGjpW78mLAd6IDnEJYlr5tUtIJj/
2jyulKH6GCMHizBLeopK/25C9Nv/Fv9jOmUhREdZuO+2hD5JRv84PT4pPKqFBEiW
KR5WuaLhzCPQRdM+5ICAOkdWq6iJIKcZ1OflFxu93kmv5Zvk9m8naU0a7PnreR2X
8Xy8rHVu6/xROffBJyig+nFh3sya3av9KDzXemU5GhQAkN+k2R5tMgFYHi9h2abQ
/6ZHYtL+aKJMUioY/gj1NNqzIwgGrygTJ9bDZyweO63vUMgtgGwbMEJuDXJFGwMv
NIb3nnoZH7hGdr7he5Wj
=HJif
-----END PGP SIGNATURE-----
_______________________________________________
kerberos-announce mailing list
kerberos-announce at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos-announce
More information about the Kerberos
mailing list