krb5-1.15-beta2 is available

Tom Yu tlyu at mit.edu
Wed Nov 16 15:23:29 EST 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MIT krb5-1.15-beta2 is now available for download from

         http://web.mit.edu/kerberos/dist/testing.html

The main MIT Kerberos web page is

         http://web.mit.edu/kerberos/

Please send comments to the krbdev list.  We plan for the final release
to occur in a couple of weeks.  The README file contains a more
extensive list of changes.

Major changes in 1.15
=====================

Administrator experience:

* Add support to kadmin for remote extraction of current keys without
  changing them (requires a special kadmin permission that is excluded
  from the wildcard permission), with the exception of highly
  protected keys.

* Add a lockdown_keys principal attribute to prevent retrieval of the
  principal's keys (old or new) via the kadmin protocol.  In newly
  created databases, this attribute is set on the krbtgt and kadmin
  principals.

* Restore recursive dump capability for DB2 back end, so sites can
  more easily recover from database corruption resulting from power
  failure events.

* Add DNS auto-discovery of KDC and kpasswd servers from URI records,
 in addition to SRV records.  URI records can convey TCP and UDP
 servers and master KDC status in a single DNS lookup, and can also
 point to HTTPS proxy servers.

* Add support for password history to the LDAP back end.

* Add support for principal renaming to the LDAP back end.

* Use the getrandom system call on supported Linux kernels to avoid
  blocking problems when getting entropy from the operating system.

* In the PKINIT client, use the correct DigestInfo encoding for PKCS
  #1 signatures, so that some especially strict smart cards will work.

Code quality:

* Clean up numerous compilation warnings.

* Remove various infrequently built modules, including some preauth
  modules that were not built by default.

Developer experience:

* Add support for building with OpenSSL 1.1.

* Use SHA-256 instead of MD5 for (non-cryptographic) hashing of
  authenticators in the replay cache.  This helps sites that must
  build with FIPS 140 conformant libraries that lack MD5.

Protocol evolution:

* Add support for the AES-SHA2 enctypes, which allows sites to conform
  to Suite B crypto requirements.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQGcBAEBAgAGBQJYLMBBAAoJEKMvF/0AVcMFcwkL/RozYHJrWXiw5iSbA6ipdzpu
feotFB2zUZJ12u6xdm4G1FhcioIe4je8hWQE54QvFBZNI5zByEeKK4ZAeEhgsoud
BDRQDIrelByNpHbAROf5WRrw/oqJVM1GLDdToZIzTXJcyvDQtL16RKMVB4CW/N1G
QmEF+DxHNf7ifcxPOy/XcpWt2N4lKE7PAbR/1gG3zS9W0UbBJhzT2NuCSlZkL8Fh
jRjEy8/cd4UKs4RkxrdFUy3OyAEEotBUpyHEK4DaTF1w6EB9qWYqZoY8SpRZORl8
sQDB8OFB4jOJNyRiutIWXt3vGDZ+9bcnh4bZ8gFQbcW0MuPUwoNokDyB6ve8fR2k
w5F7h58zKXx1zNB0cxO99/rziPwxYGwWokNXuhCmAvLJgawn49vlwWVYLlqz81M/
oL6dIwjuU80zvg85GXgRGE6TjNDrZOLn3cnKf3w29w+1jF7oCAl5Ei8EyswGzeru
TlE03oLZc9xpUbNfhIJo3a7y10QnOCTHW41Q2MPR2Q==
=LVK8
-----END PGP SIGNATURE-----

More information about the krbdev mailing list