krb5-1.21-beta1 is available

Mon Apr 17 11:48:21 EDT 2023

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

MIT krb5-1.21-beta1 is now available for download from

         https://kerberos.org/dist/testing.html

The main MIT Kerberos web page is

         https://web.mit.edu/kerberos/

Please send comments to the krbdev list.  We plan for the final
release to occur in about two months.  The README file contains a more
extensive list of changes.

PAC transitions
- ---------------

Beginning with release 1.20, the KDC will include minimal PACs in
tickets instead of AD-SIGNEDPATH authdata.  S4U requests (protocol
transition and constrained delegation) must now contain valid PACs in
the incoming tickets.  Beginning with release 1.21, service ticket
PACs will contain a new KDC checksum buffer, to mitigate a hash
collision attack against the old KDC checksum.  If only some KDCs in a
realm have been upgraded across versions 1.20 or 1.21, the upgraded
KDCs will reject S4U requests containing tickets from non-upgraded
KDCs and vice versa.

Triple-DES and RC4 transitions
- ------------------------------

Beginning with the krb5-1.21 release, the KDC will not issue tickets
with triple-DES or RC4 session keys unless explicitly configured using
the new allow_des3 and allow_rc4 variables in [libdefaults].  To
facilitate the negotiation of session keys, the KDC will assume that
all services can handle aes256-sha1 session keys unless the service
principal has a session_enctypes string attribute.

Beginning with the krb5-1.19 release, a warning will be issued if
initial credentials are acquired using the des3-cbc-sha1 encryption
type.  Beginning with the krb5-1.21 release, a warning will also be
issued for the arcfour-hmac encryption type.  In future releases,
these encryption types will be disabled by default and eventually
removed.

Beginning with the krb5-1.18 release, all support for single-DES
encryption types has been removed.

Major changes in 1.21
- ---------------------

User experience:

* Added a credential cache type providing compatibility with the macOS
  11 native credential cache.

Developer experience:

* libkadm5 will use the provided krb5_context object to read
  configuration values, instead of creating its own.

* Added an interface to retrieve the ticket session key from a GSS
  context.

Protocol evolution:

* The KDC will no longer issue tickets with RC4 or triple-DES session
  keys unless explicitly configured with the new allow_rc4 or
  allow_des3 variables respectively.

* The KDC will assume that all services can handle aes256-sha1 session
  keys unless the service principal has a session_enctypes string
  attribute.

* Support for PAC full KDC checksums has been added to mitigate an
  S4U2Proxy privilege escalation attack.

* The PKINIT client will advertise a more modern set of supported CMS
  algorithms.

Code quality:

* Removed unused code in libkrb5, libkrb5support, and the PKINIT
  module.

* Modernized the KDC code for processing TGS requests, the code for
  encrypting and decrypting key data, the PAC handling code, and the
  GSS library packet parsing and composition code.

* Improved the test framework's detection of memory errors in daemon
  processes when used with asan.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmQ9ahAACgkQDLoIV1+D
ct9KDRAAk+fuIxbTB5gstoORUf8qF1JL7jeW9NgC7rJLkQNuEPBFdKgiHOQjrdOJ
kvhuCuAN8kb3hTOh1vklT1Ed86RZyS02rbkoXq/DHZcrA4rfeIPl4jHOFHrhm2zD
uLyzvvUCWO2IRADuGmk6V2NqROZhuCdusVvTMDM0funegovfUTSiBwPgiIV7Xpe0
YfclCQA88pEu8O/nrClFdAovh7AH3xbmfCVs59FjI8luHeN59moFORBzO8otLWx8
Q3HBlnuUvSdgA4SrCvzfzJcnLKlIAHlS12sd20ELuub9YEuRmyllYRQampsRgU5+
yOJCMXU1qRmq/gG3iFE5EQq3DxjuwyyY91gAikkNWLRURXmVjdhPvrpfp7hBTe5V
pkEz8RZg4IYw6pJ/XA8NkMZpKH1V+YXF9TgOZpsrGArwfEltl14k/6wmzgvo1V/Q
UPlAR4h9Dmii1sct+JeOYeLfK8v1d9NkaQFQWpm5qO3ah6l27vSy7eMx/1qy9Fc6
9HTC3c/RZ02Xec+ZcjxgbdMSfXq/hRaJ7zdLhWKeYZoZcJx0nL8i6GjBIMxBRidp
EboXYTYsSplrWnJf86c/ao6Xs6U2OASXke+aqYkrevRKvF+ELWJMAHMUxZq6sY0l
e1hnY0J8MUiK2lIzpGY9/Ilqa2eWyn8F4tk/GGwf5gt+gefGaFo=
=31ed
-----END PGP SIGNATURE-----