krb5-1.18-beta2 is available

Greg Hudson ghudson at mit.edu
Mon Jan 27 16:32:15 EST 2020 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MIT krb5-1.18-beta2 is now available for download from

         https://web.mit.edu/kerberos/dist/testing.html

The main MIT Kerberos web page is

         https://web.mit.edu/kerberos/

Please send comments to the krbdev list.  We plan for the final
release to occur in early February.  The README file contains a more
extensive list of changes.

Major changes in 1.18
- ---------------------

Administrator experience:

* Remove support for single-DES encryption types.

* Change the replay cache format to be more efficient and robust.
  Replay cache filenames using the new format end with ".rcache2" by
  default.

* setuid programs will automatically ignore environment variables that
  normally affect krb5 API functions, even if the caller does not use
  krb5_init_secure_context().

* Add an "enforce_ok_as_delegate" krb5.conf relation to disable
  credential forwarding during GSSAPI authentication unless the KDC
  sets the ok-as-delegate bit in the service ticket.

* Use the permitted_enctypes krb5.conf setting as the default value
  for default_tkt_enctypes and default_tgs_enctypes.

Developer experience:

* Implement krb5_cc_remove_cred() for all credential cache types.

* Add the krb5_pac_get_client_info() API to get the client account
  name from a PAC.

Protocol evolution:

* Add KDC support for S4U2Self requests where the user is identified
  by X.509 certificate.  (Requires support for certificate lookup from
  a third-party KDB module.)

* Remove support for an old ("draft 9") variant of PKINIT.

* Add support for Microsoft NegoEx.  (Requires one or more third-party
  GSS modules implementing NegoEx mechanisms.)

* Honor the transited-policy-checked ticket flag on application
  servers, eliminating the requirement to configure capaths on
  servers in some scenarios.

User experience:

* Add support for "dns_canonicalize_hostname=fallback""`, causing
  host-based principal names to be tried first without DNS
  canonicalization, and again with DNS canonicalization if the
  un-canonicalized server is not found.

* Expand single-component hostnames in hhost-based principal names
  when DNS canonicalization is not used, adding the system's first DNS
  search path as a suffix.  Add a "qualify_shortname" krb5.conf
  relation to override this suffix or disable expansion.

Code quality:

* The libkrb5 serialization code (used to export and import krb5 GSS
  security contexts) has been simplified and made type-safe.

* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED d
  messages has been revised to conform to current coding practices.

* The test suite has been modified to work with macOS System Integrity
  Protection enabled.

* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11
  support can always be tested.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJeL1avAAoJEAy6CFdfg3Lf/j0QAJ7ieTn1jUc5oWBzlBUUFl/i
b2iWsyQ5p3DrENqlCX2hoqwTxbAt15kofB7pTnXSH43M4XQ/P5on3rx4TDBP+LBh
Ehb8lVxTI1WFGM9Mkjmbi1Xa5FfJEb+GSUlhN1qcOa4L71tICR5HY2CHQL2uPlIb
DbHyXK7Fs2Bhpgrb8RK5XMX9ggFzLUEP30PKy/JohTecMK363k7Mk78XcGPxbCoo
eHixwS4E20/93OuQyGUn78jd7T7zTPgRCowgtdXwjOQPeT09DwFDT/VHVPe32gET
H91AzvFTqBy76iVQA06tMaGHGMxJeJ++ggMB8go3zontJi0JI0qNl/Dya3FLU5T9
MJQ9DACq2LTW3ZKyfL8jEMlT+26tJA9A5IHHsTFMeEoLjyF5erAa2MHpYcAtjVtI
tPn0P/XMP5MWAJboqrqK4cPBdV85nZj24EwNLxv4wR4tICgRuafumaZRE9ToHVx9
C/ui8Hy5VH5WPvuluPzXc024y7B/DWKQ01tSRVwA2/DK5It+wFPdVWoyZFVfkj7v
7zmMgqMXRL0MIFb8DYXOmxsFUkz+RGZHikKF5+KM5fl2fl7k+ceirzcP4i5KcB9/
BfbXekywxMa+cQNd7U7n+OfalNs+YHPLpVSMSufNBZmvDej8ywAmT4cf9hsYB6Tt
HbUQXUe7447v0mx0w99T
=bNmO
-----END PGP SIGNATURE-----

More information about the krbdev mailing list