krb5-1.15-beta1 is available

Wang Weijun weijun.wang at oracle.com
Sat Oct 22 21:41:41 EDT 2016 

Typo? http://web.mit.edu/kerberos/dist/testing.html shows "MIT Kerberos 5 Release 1.15 beta 2".

--Max

> On Oct 21, 2016, at 4:15 AM, Tom Yu <tlyu at mit.edu> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> MIT krb5-1.15-beta1 is now available for download from
> 
>         http://web.mit.edu/kerberos/dist/testing.html
> 
> The main MIT Kerberos web page is
> 
>         http://web.mit.edu/kerberos/
> 
> Please send comments to the krbdev list.  We plan for the final release
> to occur in about a month.  The README file contains a more extensive
> list of changes.
> 
> Major changes in 1.15
> =====================
> 
> Administrator experience:
> 
> * Add support to kadmin for remote extraction of current keys without
>  changing them (requires a special kadmin permission that is excluded
>  from the wildcard permission), with the exception of highly
>  protected keys.
> 
> * Add a lockdown_keys principal attribute to prevent retrieval of the
>  principal's keys (old or new) via the kadmin protocol.  In newly
>  created databases, this attribute is set on the krbtgt and kadmin
>  principals.
> 
> * Restore recursive dump capability for DB2 back end, so sites can
>  more easily recover from database corruption resulting from power
>  failure events.
> 
> * Add DNS auto-discovery of KDC and kpasswd servers from URI records,
> in addition to SRV records.  URI records can convey TCP and UDP
> servers and master KDC status in a single DNS lookup, and can also
> point to HTTPS proxy servers.
> 
> * Add support for password history to the LDAP back end.
> 
> * Add support for principal renaming to the LDAP back end.
> 
> * Use the getrandom system call on supported Linux kernels to avoid
>  blocking problems when getting entropy from the operating system.
> 
> Code quality:
> 
> * Clean up numerous compilation warnings.
> 
> * Remove various infrequently built modules, including some preauth
>  modules that were not built by default.
> 
> Developer experience:
> 
> * Add support for building with OpenSSL 1.1.
> 
> * Use SHA-256 instead of MD5 for (non-cryptographic) hashing of
>  authenticators in the replay cache.  This helps sites that must
>  build with FIPS 140 conformant libraries that lack MD5.
> 
> Protocol evolution:
> 
> * Add support for the AES-SHA2 enctypes, which allows sites to conform
>  to Suite B crypto requirements.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> 
> iQGcBAEBAgAGBQJYCSX1AAoJEKMvF/0AVcMFiLkL/Rc2kNbM7MdJUhBrNR88/YLZ
> hnqkp5C9fTXY3EoY/uitsGmJCkAFaCfP00IfYavtkWLD6QB8rq5DccOvPkvnNFsW
> iPDtp5NzUPcGiVwjsfpv9Y9kitkjmLFg2L5OSUOTLWQk1M4uDNp5xaVb9jMYBXSX
> 25BXSz6HGEVBKl37WaqIXqtiAWRHpUiT20gq5t6RsHkGQ5+QHraczMTPmLdMdcKX
> /PQuVAhaXGViEbBUO6nCx6WpAiR5DU/mtbWz1tAwB8yOzUKK7JKg3bQBtw2ex/+6
> ZPbdWl4aGOsY2WPItPmG3EshtfC8pKN11DP21Dd2sTQfgbGfBHjTa7z/2QE1a8bo
> ZGOLmbbmsBtu9kDLNVlMmC8EXSQghw6JhNnbzIFaqDqFPfRcF/vIPE1Wq5luMkE6
> k1j11yLmQgLqx2dVwidL1TUb6UYNuWOAGJG6a1mUtHwPESYsW69Jond728MfEc5s
> YHZeIV+rUPaLu9paAfUDdFItoQrDoCvWhtNqzExrBg==
> =i9Hw
> -----END PGP SIGNATURE-----
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev

More information about the krbdev mailing list