krb5-1.20-beta1 is available

[Greg Hudson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

MIT krb5-1.20-beta1 is now available for download from

         https://kerberos.org/dist/testing.html

The main MIT Kerberos web page is

         https://web.mit.edu/kerberos/

Please send comments to the krbdev list.  We plan for the final
release to occur in about two months.  The README file contains a more
extensive list of changes.

PAC transition
- --------------

Beginning with release 1.20, the KDC will include minimal PACs in
tickets instead of AD-SIGNEDPATH authdata.  S4U requests (protocol
transition and constrained delegation) must now contain valid PACs in
the incoming tickets.  If only some KDCs in a realm have been upgraded
across version 1.20, the upgraded KDCs will reject S4U requests
containing tickets from non-upgraded KDCs and vice versa.

Major changes in 1.20
- ---------------------

Administrator experience:

* Added a "disable_pac" realm relation to suppress adding PAC authdata
  to tickets, for realms which do not need to support S4U requests.

* Most credential cache types will use atomic replacement when a cache
  is reinitialized using kinit or refreshed from the client keytab.

* kprop can now propagate databases with a dump size larger than 4GB,
  if both the client and server are upgraded.

* kprop can now work over NATs that change the destination IP address,
  if the client is upgraded.

Developer experience:

* Updated the KDB interface.  The sign_authdata() method is replaced
  with the issue_pac() method, allowing KDB modules to add logon info
  and other buffers to the PAC issued by the KDC.

* Host-based initiator names are better supported in the GSS krb5
  mechanism.

Protocol evolution:

* Replaced AD-SIGNEDPATH authdata with minimal PACs.

* To avoid spurious replay errors, password change requests will not
  be attempted over UDP until the attempt over TCP fails.

* PKINIT will sign its CMS messages with SHA-256 instead of SHA-1.

Code quality:

* Updated all code using OpenSSL to be compatible with OpenSSL 3.

* Reorganized the libk5crypto build system to allow the OpenSSL
  back-end to pull in material from the builtin back-end depending on
  the OpenSSL version.

* Simplified the PRNG logic to always use the platform PRNG.

* Converted the remaining Tcl tests to Python.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmI92IIACgkQDLoIV1+D
ct91dxAAyUaxC/7fJAD3Qj3AX2UeBxxXzRvqY7C79blZvDAV/soNxQBQ+ubOT5dq
DWv4H0K87MB/4JXh+z/bICusFL+VLXkMjua5LaXJSxvEwH010paVnnO7VEbdOppv
I5/auzs4EGCZB7ZWYOLn2CY3ECKpyJI0mwMfd8oHZ8TrtmQmtv2GoTDbQOayuf1w
VWNbSoAPVdZ9mBy6hm4DXCkyPWNRzhn5ie1jEeMeKkPHgvqh+pWXHklJBhgxX0eN
8JzDMQSq1/9d/7JKrW0jpVj0h/10DPkbG3oeOWAeHVoxlb9CMoJAdaGB6kfPcnCi
UsCev0XXPvhwUefei9pa83pa35Bsps/xvgrcQT5/vz3i8/pRMyqJU4JAnDs2RBTI
H9SnanawohgxMN884ZzKIphgVQHe04xc4J9xJPIZxIhHnAlYoaseGcth/io2vyAM
nNEEIJI00QItRiOh8DmhmNUxovBGycErABRYaJ0exq4G9LWpQc6zFisZCOMnuys4
m8MPciPm/NR3m7GhepfnLI1hKH6OFytZ4tIF3HkascNnUsdWrcJ22tfINE5HaKxG
qtIdz+GRojvoxMYxGhG23NmjyM8uAVOV2l9AqwyOfK7eguU8ktb5nDm7owB+yoVH
G1U3+GUiSlKo1cKgS+TmsRbOViZzV7hKWRbskD90Dwzvfkzojj0=
=siIt
-----END PGP SIGNATURE-----