krb5-1.17-beta1 is available

Greg Hudson ghudson at mit.edu
Wed Oct 31 18:35:13 EDT 2018 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MIT krb5-1.17-beta1 is now available for download from

         http://web.mit.edu/kerberos/dist/testing.html

The main MIT Kerberos web page is

         http://web.mit.edu/kerberos/

Please send comments to the krbdev list.  We plan for the final
release to occur in about two months.  The README file contains a more
extensive list of changes.

Feedback based on experiences with the SPAKE pre-authentication
mechanism and the LMDB-based KDB module would be greatly appreciated,
as it will help us decide when these features are ready to become
defaults in a future release.  Please send feedback to krbdev at mit.edu
during the 1.17 testing period.

Major changes in 1.17
- ---------------------

Administrator experience:

* A new Kerberos database module using the Lightning Memory-Mapped
  Database library (LMDB) has been added.  The LMDB KDB module should
  be more performant and more robust than the DB2 module, and may
  become the default module for new databases in a future release.

* "kdb5_util dump" will no longer dump policy entries when specific
  principal names are requested.

Developer experience:

* The new krb5_get_etype_info() API can be used to retrieve enctype,
  salt, and string-to-key parameters from the KDC for a client
  principal.

* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
  principal names to be used with GSS-API functions.

* KDC and kadmind modules which call com_err() will now write to the
  log file in a format more consistent with other log messages.

* Programs which use large numbers of memory credential caches should
  perform better.

Protocol evolution:

* The SPAKE pre-authentication mechanism is now supported.  This
  mechanism protects against password dictionary attacks without
  requiring any additional infrastructure such as certificates.  SPAKE
  is enabled by default on clients, but must be manually enabled on
  the KDC for this release.

* PKINIT freshness tokens are now supported.  Freshness tokens can
  protect against scenarios where an attacker uses temporary access to
  a smart card to generate authentication requests for the future.

* Password change operations now prefer TCP over UDP, to avoid
  spurious error messages about replays when a response packet is
  dropped.

* The KDC now supports cross-realm S4U2Self requests when used with a
  third-party KDB module such as Samba's.  The client code for
  cross-realm S4U2Self requests is also now more robust.

User experience:

* The new ktutil addent -f flag can be used to fetch salt information
  from the KDC for password-based keys.

* The new kdestroy -p option can be used to destroy a credential cache
  within a collection by client principal name.

* The Kerberos man page has been restored, and documents the
  environment variables that affect programs using the Kerberos
  library.

Code quality:

* Python test scripts now use Python 3.

* Python test scripts now display markers in verbose output, making it
  easier to find where a failure occurred within the scripts.

* The Windows build system has been simplified and updated to work
  with more recent versions of Visual Studio.  A large volume of
  unused Windows-specific code has been removed.  Visual Studio 2013
  or later is now required.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJb2iyrAAoJEAy6CFdfg3LfdFcQAMttpCi6JOaAsrfSIM1OLBbk
g3WAS5JlTT3ViI1lKwZ9O8mUKLqvpAj+FLSndQVIrStIlvtnpnvKb5cqXz0g2sPn
4fLUWuKBiF4qhtomx9WFdcBgYUhasCtj5gNqMsRbgOONEUjvVkcWr5qhx2on9FLZ
fc0c7slhvhsVCoD+4ZYGd8uyE9bF1J0tD+pnBaNsTt6lfRcx1IlKkxOzNXPkvpzk
+YF9f6R33gn4TLgmcfmnGcURB9SFzUlTsTYNV/q80WE64fAtz1Tzj39Chv50NKWw
O5qhC/GOeD/uzNrjgVU5PJHIxxpSY9mbbbRtiUr8EVwv1pJe8H1q5C6baPDGvnvd
+Gke2TfV48UzBB0EJ70BXn+uUHRR0Ch2kNMzNbRZWWAYeNGvb078qUwlIYE4wLno
BxkB0wjDHCKPwB09//MsWKtFDczGNtmfTnMgNTnKmE9QFkhxEamB9cR4hjyPp1pc
rUkKBX+jLy1iRp6ZvyQ0QoJbJIKxhoVpW3Y4PSwdbxt3MmDGNHL2V3qmtsnWQK6Y
p9Lex9eIAMi6+Yx/dOH9VjG2Ehk/CSyneVmrZvQad+LgJa9x1e4uUQKnvlC4302y
Fbuqk28g8/ZEpEyHWwrHUgkjVqJn50obCzmUYUkPms8VoQJEFKfzEk+49sdKcMpj
Fd+rI+Xa3f/8gJbI8MBT
=A4mJ
-----END PGP SIGNATURE-----

More information about the krbdev mailing list