krb5-1.16-beta2 is available

Greg Hudson ghudson at mit.edu
Mon Nov 27 11:47:42 EST 2017 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MIT krb5-1.16-beta2 is now available for download from

         http://web.mit.edu/kerberos/dist/testing.html

The main MIT Kerberos web page is

         http://web.mit.edu/kerberos/

Please send comments to the krbdev list.  We plan for the final
release to occur in about two months.  The README file contains a more
extensive list of changes.

Major changes in 1.16
- ---------------------

Administrator experience:

* The KDC can match PKINIT client certificates against the
  "pkinit_cert_match" string attribute on the client principal entry,
  using the same syntax as the existing "pkinit_cert_match" profile
  option.

* The ktutil addent command supports the "-k 0" option to ignore the
  key version, and the "-s" option to use a non-default salt string.

* kpropd supports a --pid-file option to write a pid file at startup,
  when it is run in standalone mode.

* The "encrypted_challenge_indicator" realm option can be used to
  attach an authentication indicator to tickets obtained using FAST
  encrypted challenge pre-authentication.

* Localization support can be disabled at build time with the
  --disable-nls configure option.

Developer experience:

* The kdcpolicy pluggable interface allows modules control whether
  tickets are issued by the KDC.

* The kadm5_auth pluggable interface allows modules to control whether
  kadmind grants access to a kadmin request.

* The certauth pluggable interface allows modules to control which
  PKINIT client certificates can authenticate to which client
  principals.

* KDB modules can use the client and KDC interface IP addresses to
  determine whether to allow an AS request.

* GSS applications can query the bit strength of a krb5 GSS context
  using the GSS_C_SEC_CONTEXT_SASL_SSF OID with
  gss_inquire_sec_context_by_oid().

* GSS applications can query the impersonator name of a krb5 GSS
  credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with
  gss_inquire_cred_by_oid().

* kdcpreauth modules can query the KDC for the canonicalized requested
  client principal name, or match a principal name against the
  requested client principal name with canonicalization.

Protocol evolution:

* The client library will continue to try pre-authentication
  mechanisms after most failure conditions.

* The KDC will issue trivially renewable tickets (where the renewable
  lifetime is equal to or less than the ticket lifetime) if requested
  by the client, to be friendlier to scripts.

* The client library will use a random nonce for TGS requests instead
  of the current system time.

* For the RC4 string-to-key or PAC operations, UTF-16 is supported
  (previously only UCS-2 was supported).

* When matching PKINIT client certificates, UPN SANs will be matched
  correctly as UPNs, with canonicalization.

User experience:

* Dates after the year 2038 are accepted (provided that the platform
  time facilities support them), through the year 2106.

* Automatic credential cache selection based on the client realm will
  take into account the fallback realm and the service hostname.

* Referral and alternate cross-realm TGTs will not be cached, avoiding
  some scenarios where they can be added to the credential cache
  multiple times.

* A German translation has been added.

Code quality:

* The build is warning-clean under clang with the configured warning
  options.

* The automated test suite runs cleanly under AddressSanitizer.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBWhxBjgy6CFdfg3LfAQKjUg/8DdwV/Z/Xy9USnkRwLiVod82n077o2wTW
bX3eNDBbxKiCKJwuCj84jPZToGN5ekcwrbd7LcSw8+7HX4gS8ZCVQ4WxkkQMJOtq
/BnQL6EqkHkVPVlpu+zJ4X3fwagr0zXeJgFPz2MQSN1WsDrAPrtE7US+gQe1izqu
FWXMepTOoZIb7UUIOh7jZkwnyFjrEg9wl/hMzV7CexevgKgU7VrRjIC8fDy8+av2
C+MLGuTITfL/Y0bsjq7tvK0MyxYqvIb9x+nMkEPwxK3WwcvVW5m8Ad5AiUNAzNhu
5XV3USuCrGjHfCI+ueoi1UN5dS6XxGLLzfr7lPXpQxaNnLwo/TUD5HZdwIJ8qRac
7vwC6EwjxGGuwBqc8d2OONcH01KUeWQ+HNYA3P+T8KziqDcltZGnpnSAgIy0eHYi
m4vJg2THf402P+LeGLx3VZ1zwxVAnm7hoAaHQn+m/ifodyEHY0bqriDl9tZzFqt3
ONJ5QGGKi264m8w0gpJFxlmL73c24+0zTXUa5HRQvsZ8LLIAo9WvNS1ofWPo6qNF
xgtXdQChiWEIrIbW+dfbwt//+KUCZALDn8J/r65Gk5xDH4aOlv6wBMCZr+3KXnj/
w28G4fxrutTjrS+COtgxkhqWc3yh+FcQ52Luysm28Q+C4n14C/N3pxMfGtquzPWl
BRcqn3oo/8Q=
=BK4f
-----END PGP SIGNATURE-----

More information about the krbdev mailing list