From ghudson at mit.edu Tue Jun 6 01:06:32 2023 From: ghudson at mit.edu (Greg Hudson) Date: Tue, 06 Jun 2023 01:06:32 -0400 Subject: krb5-1.21 is released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.21. Please see below for a list of some major changes included, or consult the README file in the source tree for a more detailed list of significant changes. RETRIEVING KERBEROS 5 RELEASE 1.21 ================================== You may retrieve the Kerberos 5 Release 1.21 source from the following URL: https://kerberos.org/dist/ The homepage for the krb5-1.21 release is: https://web.mit.edu/kerberos/krb5-1.21/ Further information about Kerberos 5 may be found at the following URL: https://web.mit.edu/kerberos/ and at the MIT Kerberos Consortium web site: https://www.kerberos.org/ PAC transitions =============== Beginning with release 1.20, the KDC will include minimal PACs in tickets instead of AD-SIGNEDPATH authdata. S4U requests (protocol transition and constrained delegation) must now contain valid PACs in the incoming tickets. Beginning with release 1.21, service ticket PACs will contain a new KDC checksum buffer, to mitigate a hash collision attack against the old KDC checksum. If only some KDCs in a realm have been upgraded across versions 1.20 or 1.21, the upgraded KDCs will reject S4U requests containing tickets from non-upgraded KDCs and vice versa. Triple-DES and RC4 transitions ============================== Beginning with the krb5-1.21 release, the KDC will not issue tickets with triple-DES or RC4 session keys unless explicitly configured using the new allow_des3 and allow_rc4 variables in [libdefaults]. To facilitate the negotiation of session keys, the KDC will assume that all services can handle aes256-sha1 session keys unless the service principal has a session_enctypes string attribute. Beginning with the krb5-1.19 release, a warning will be issued if initial credentials are acquired using the des3-cbc-sha1 encryption type. Beginning with the krb5-1.21 release, a warning will also be issued for the arcfour-hmac encryption type. In future releases, these encryption types will be disabled by default and eventually removed. Beginning with the krb5-1.18 release, all support for single-DES encryption types has been removed. Major changes in 1.21 (2023-06-05) ================================== User experience: * Added a credential cache type providing compatibility with the macOS 11 native credential cache. Developer experience: * libkadm5 will use the provided krb5_context object to read configuration values, instead of creating its own. * Added an interface to retrieve the ticket session key from a GSS context. Protocol evolution: * The KDC will no longer issue tickets with RC4 or triple-DES session keys unless explicitly configured with the new allow_rc4 or allow_des3 variables respectively. * The KDC will assume that all services can handle aes256-sha1 session keys unless the service principal has a session_enctypes string attribute. * Support for PAC full KDC checksums has been added to mitigate an S4U2Proxy privilege escalation attack. * The PKINIT client will advertise a more modern set of supported CMS algorithms. Code quality: * Removed unused code in libkrb5, libkrb5support, and the PKINIT module. * Modernized the KDC code for processing TGS requests, the code for encrypting and decrypting key data, the PAC handling code, and the GSS library packet parsing and composition code. * Improved the test framework's detection of memory errors in daemon processes when used with asan. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmR+vpAACgkQDLoIV1+D ct9UkxAAy2RjigQHq5EflPJBfRWUB6olwpOJRoNKWL17iUKoRh4ZtJe7pUt1dcdQ 8W/3p1oTgnk1yWMkUQCP2RR5YlmmTllB+/umUjwBQzvFtvjTfoWhvURVsJbTfyi1 SN4tUKvPlizd6dNM/08ad9A4IN7LD+8qlP1k6qgjzL0eXYHrMoDXYXZNUmi/Ekse VdHnW9ols1P6rqSfD5x86r8QoflYbAit4tylOf6xAfDeBuQiJmEvl0fYkRGr6gGJ Gaep55XZcgxKisyHuJZh5w7+iE9FiZff5xsGKBxT/BzdUWoI+6Wot9CWnMcaHjaO Eg9ohgfk3dY9XH5SsG0Xzb7yrRSy2zeuGHoB+GfeUx8vFBGYCxApmpV89zX/5g75 FVOd5TPCuZrfR0hbBwHrKAPE3/WEslRU5zTduHEK38IGQ9++YxuphH6W9/aYBiHJ 9Dzcn5G7W9o5r3WL967/CfH6BHispTYoE07CQfjL22cb9euwD44UdLS/g1qijbED MlEaC45afN3aXAPSV+D4fPe/7d/5iYAc5BT6U+P/hlZkJOAIOLPMM+FeaHW6gGKy x+Ip5I45i2ZVc+b8OUI3jXonYRIg5ADxbvZt2Eu4WYFd22ipEyjwQCBqaXuXWE0P VRgX11z1iZjKdAZcwzaDfyzXO6Una+CVfsKf6i2wKdTJrSAnVUQ= =CUot -----END PGP SIGNATURE----- _______________________________________________ kerberos-announce mailing list kerberos-announce at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos-announce