krb5-1.18-beta1 is available

Greg Hudson ghudson at mit.edu
Thu Jan 9 11:49:36 EST 2020 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MIT krb5-1.18-beta1 is now available for download from

         https://web.mit.edu/kerberos/dist/testing.html

The main MIT Kerberos web page is

         https://web.mit.edu/kerberos/

Please send comments to the krbdev list.  We plan for the final
release to occur in about one month.  The README file contains a more
extensive list of changes.

Major changes in 1.18
- ---------------------

Administrator experience:

* Remove support for single-DES encryption types.

* Change the replay cache format to be more efficient and robust.
  Replay cache filenames using the new format end with ".rcache2" by
  default.

* setuid programs will automatically ignore environment variables that
  normally affect krb5 API functions, even if the caller does not use
  krb5_init_secure_context().

* Add an "enforce_ok_as_delegate" krb5.conf relation to disable
  credential forwarding during GSSAPI authentication unless the KDC
  sets the ok-as-delegate bit in the service ticket.

Developer experience:

* Implement krb5_cc_remove_cred() for all credential cache types.

* Add the krb5_pac_get_client_info() API to get the client account
  name from a PAC.

Protocol evolution:

* Add KDC support for S4U2Self requests where the user is identified
  by X.509 certificate.  (Requires support for certificate lookup from
  a third-party KDB module.)

* Remove support for an old ("draft 9") variant of PKINIT.

* Add support for Microsoft NegoEx.  (Requires one or more third-party
  GSS modules implementing NegoEx mechanisms.)

User experience:

* Add support for "dns_canonicalize_hostname=fallback""`, causing
  host-based principal names to be tried first without DNS
  canonicalization, and again with DNS canonicalization if the
  un-canonicalized server is not found.

* Expand single-component hostnames in hhost-based principal names
  when DNS canonicalization is not used, adding the system's first DNS
  search path as a suffix.  Add a "qualify_shortname" krb5.conf
  relation to override this suffix or disable expansion.

Code quality:

* The libkrb5 serialization code (used to export and import krb5 GSS
  security contexts) has been simplified and made type-safe.

* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED d
  messages has been revised to conform to current coding practices.

* The test suite has been modified to work with macOS System Integrity
  Protection enabled.

* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11
  support can always be tested.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJeF1gxAAoJEAy6CFdfg3LfqYQQAKJmBiKnMkWLJT5SdCyQSxHc
qnZMIwhK0hkgQlcN1EznaZizXc/lb4bgxSa+SB+TbUEhvzJGavYgIby+fKmGL7g9
OLlbOPFFL8jQTVRqpOJYtFBOrPAVDSG1fGKZxSC9PHlD1ciwZpXoEC7reTIdKL0Q
lIIJdKOpE8KmA6drJRdK9cMj+SZOsimmgK5nYAQ+wjY0R4s0hAw6bR1VvWZ/JCSX
2uxgnkfKpF8WBtxBqVgU4axCoRr+vd6+jgrvOV3lgzRiRAo5qQHuxr2JNsumzv/C
tfmYMt5tJUtLY1q3O1+1NTvyWe8Jv0FM5ZsXkY2f7JfHd1gyTMn4olAOx0WaaFdw
0XR0rtyE4cfzOiz1GC57UebpMHHa2reQmM+ZfsqhqK/4Hi0/W7B8AI9ldmza6MjE
d4M0ye8rgExM7qQ261MDAD5VhO0n9uRayY+ufzV4YCmw1I6fcjoHdef5kAlYXzcI
dM+HgANI+3m4ANtxwUSChn6MexVt86W0tYK4Y4cFCNNiYfPIDAshfaVtz3IsenSv
JiHah6KciNCJ6mpev0e7irqvMwdTr+GmM3IU80YMCqWylNzsyffBjv5Mqvg4MV/J
yZPAt6/7Kkt0YOG+670ijIcdWBnaiwKjHeyGYsQl1m7iRGD76z+TXxhbxUeZzivf
NA1g4eq2I74xWW6iNq10
=7xFa
-----END PGP SIGNATURE-----

More information about the krbdev mailing list