From ghudson at mit.edu Thu May 8 13:07:32 2025 From: ghudson at mit.edu (Greg Hudson) Date: Thu, 08 May 2025 13:07:32 -0400 Subject: krb5-1.22-beta1 is available Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 MIT krb5-1.22-beta1 is now available for download from https://kerberos.org/dist/testing.html The main MIT Kerberos web page is https://web.mit.edu/kerberos/ Please send comments to the krbdev list. We plan for the final release to occur in about two months. The README file contains a more extensive list of changes. PAC transitions - --------------- Beginning with release 1.20, the KDC will include minimal PACs in tickets instead of AD-SIGNEDPATH authdata. S4U requests (protocol transition and constrained delegation) must now contain valid PACs in the incoming tickets. Beginning with release 1.21, service ticket PACs will contain a new KDC checksum buffer, to mitigate a hash collision attack against the old KDC checksum. If only some KDCs in a realm have been upgraded across versions 1.20 or 1.21, the upgraded KDCs will reject S4U requests containing tickets from non-upgraded KDCs and vice versa. Triple-DES and RC4 transitions - ------------------------------ Beginning with the krb5-1.21 release, the KDC will not issue tickets with triple-DES or RC4 session keys unless explicitly configured using the new allow_des3 and allow_rc4 variables in [libdefaults]. To facilitate the negotiation of session keys, the KDC will assume that all services can handle aes256-sha1 session keys unless the service principal has a session_enctypes string attribute. Beginning with the krb5-1.19 release, a warning will be issued if initial credentials are acquired using the des3-cbc-sha1 encryption type. Beginning with the krb5-1.21 release, a warning will also be issued for the arcfour-hmac encryption type. In future releases, these encryption types will be disabled by default and eventually removed. Beginning with the krb5-1.18 release, all support for single-DES encryption types has been removed. Major changes in 1.22 - --------------------- User experience: * The libdefaults configuration variable "request_timeout" can be set to limit the total timeout for KDC requests. When making a KDC request, the client will now wait indefinitely (or until the request timeout has elapsed) on a KDC which accepts a TCP connection, without contacting any additional KDCs. Clients will make fewer DNS queries in some configurations. * The realm configuration variable "sitename" can be set to cause the client to query site-specific DNS records when making KDC requests. Administrator experience: * Principal aliases are supported in the DB2 and LMDB KDB modules and in the kadmin protocol. (The LDAP KDB module has supported aliases since release 1.7.) * UNIX domain sockets are supported for the Kerberos and kpasswd protocols. * systemd socket activation is supported for krb5kdc and kadmind. Developer experience: * KDB modules can be be implemented in terms of other modules using the new krb5_db_load_module() function. * The profile library supports the modification of empty profiles and the copying of modified profiles, making it possible to construct an in-memory profile and pass it to krb5_init_context_profile(). * GSS-API applications can pass the GSS_C_CHANNEL_BOUND flag to gss_init_sec_context() to request strict enforcement of channel bindings by the acceptor. Protocol evolution: * The PKINIT preauth module supports elliptic curve client certificates, ECDH key exchange, and the Microsoft paChecksum2 field. * The IAKERB implementation has been changed to comply with the most recent draft standard and to support realm discovery. * Message-Authenticator is supported in the RADIUS implementation used by the OTP kdcpreauth module. Code quality: * Removed old-style function declarations, to accomodate compilers which have removed support for them. * Added OSS-Fuzz to the project's continuous integration infrastructure. * Rewrote the GSS per-message token parsing code for improved safety. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmgc4/QACgkQDLoIV1+D ct8MzxAAxGwx5XXANJNFcveYyz5VGyz3qjnSUpnEDWJoOTIyo36yIPzn3IL4nKYh pMiqxFt77a23dzZGhSqr3GLqDK8OfgBFx5npLDMKvTmdewOLZubpBMYwnwJCMRmE LKI+5nC4IaF+mXUghBV1rLVRVgXYZ8IfOVoeKnyQ3ECeazeGRpTMBOtVVm9x4DyW pz0SfBJTp57ASbr335Qzja2O8dFYnpT6WsYXdgXsuNNSfrqaFfB7hvTp4euUgGEA ESbJUaOFfPAo7EGHg1WYYlsAqlEVkgfOGq47EqlepofPdeM358Qz86vTwgnNsTjr 9e7kIV6u89PeICYotSqdazxoh3c2xC6Y34YDXGcHgq/hQcyu27mt18sv2HyYn+6+ /Vddl9sSeccZ9lldrj+iXXTXkEn+l9oJNKs5lDeKlmVPRBpwntGE5Wjww65Si/Hy QHrhvqBWucx3pQjmmvLQ85emkmg+nvUioJuIZX32rlkyZaDpTcYAtjgh6d4UCcXc p9SLxuQzJs/9DjFJhSmuJvTcLcB+i4BgxSBeMe3Ybkh6yMWGbXHP7rRqCtfIQ/kf qYKWqiQdNI7SDSRgAvzMKZ3I4r+9tlv1eP3YIW89m6OmtjQdbAHRdU6udfRe4Fzi pKyvSpDrgRTw5mUB/BhOEGUWS7dnfxiLTwpWQB8XP9VOSIA69rE= =t0Oi -----END PGP SIGNATURE-----