diff options
author | Tom Yu <tlyu@mit.edu> | 2016-10-24 14:05:41 -0400 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2016-10-24 16:43:23 -0400 |
commit | cc1909ae1cfbb93d15fcfd1bfb878a92309475a3 (patch) | |
tree | 84d63b7aeec3e7f8dd5a1ae952bcab85de20c4b8 | |
parent | 3bb6e66c07a9864cc7ece0604105bd987e1d2977 (diff) | |
download | krb5-cc1909ae1cfbb93d15fcfd1bfb878a92309475a3.zip krb5-cc1909ae1cfbb93d15fcfd1bfb878a92309475a3.tar.gz krb5-cc1909ae1cfbb93d15fcfd1bfb878a92309475a3.tar.bz2 |
Update features list for 1.15
(cherry picked from commit 6872044bb52fdbbcbb965fe5dcb3e1da2755ae82)
ticket: 8510
version_fixed: 1.15
-rw-r--r-- | doc/mitK5features.rst | 56 |
1 files changed, 52 insertions, 4 deletions
diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst index cdcb04f..b4e4b8b 100644 --- a/doc/mitK5features.rst +++ b/doc/mitK5features.rst @@ -19,8 +19,8 @@ Quick facts License - :ref:`mitK5license` Releases: - - Latest stable: http://web.mit.edu/kerberos/krb5-1.14/ - - Supported: http://web.mit.edu/kerberos/krb5-1.13/ + - Latest stable: http://web.mit.edu/kerberos/krb5-1.15/ + - Supported: http://web.mit.edu/kerberos/krb5-1.14/ - Release cycle: 9 -- 12 months Supported platforms \/ OS distributions: @@ -80,8 +80,6 @@ Starting from release 1.8: `Heimdal` -* Support for reading Heimdal database starting from release 1.8 - * Support for KCM credential cache starting from release 1.13 Feature list @@ -261,6 +259,56 @@ Release 1.14 full resync, and do not require two full resyncs after the master KDC's log file is reset. +Release 1.15 + +* Administrator experience: + + - Add support to kadmin for remote extraction of current keys + without changing them (requires a special kadmin permission that + is excluded from the wildcard permission), with the exception of + highly protected keys. + + - Add a lockdown_keys principal attribute to prevent retrieval of + the principal's keys (old or new) via the kadmin protocol. In + newly created databases, this attribute is set on the krbtgt and + kadmin principals. + + - Restore recursive dump capability for DB2 back end, so sites can + more easily recover from database corruption resulting from power + failure events. + + - Add DNS auto-discovery of KDC and kpasswd servers from URI + records, in addition to SRV records. URI records can convey TCP + and UDP servers and master KDC status in a single DNS lookup, and + can also point to HTTPS proxy servers. + + - Add support for password history to the LDAP back end. + + - Add support for principal renaming to the LDAP back end. + + - Use the getrandom system call on supported Linux kernels to avoid + blocking problems when getting entropy from the operating system. + +* Code quality: + + - Clean up numerous compilation warnings. + + - Remove various infrequently built modules, including some preauth + modules that were not built by default. + +* Developer experience: + + - Add support for building with OpenSSL 1.1. + + - Use SHA-256 instead of MD5 for (non-cryptographic) hashing of + authenticators in the replay cache. This helps sites that must + build with FIPS 140 conformant libraries that lack MD5. + +* Protocol evolution: + + - Add support for the AES-SHA2 enctypes, which allows sites to + conform to Suite B crypto requirements. + `Pre-authentication mechanisms` - PW-SALT :rfc:`4120#section-5.2.7.3` |