diff options
author | Tom Yu <tlyu@mit.edu> | 2016-10-17 17:01:01 -0400 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2016-10-18 08:31:19 -0400 |
commit | 5b2df4b3694b09d21d3b94e5420363e37f6df748 (patch) | |
tree | 14bd83f19913a767883d6512f67ca91672c6e0cb | |
parent | 29dc209a135bae4e15d328348c2dab73e1f2afce (diff) | |
download | krb5-5b2df4b3694b09d21d3b94e5420363e37f6df748.zip krb5-5b2df4b3694b09d21d3b94e5420363e37f6df748.tar.gz krb5-5b2df4b3694b09d21d3b94e5420363e37f6df748.tar.bz2 |
Update README for krb5-1.15
[ci skip]
-rw-r--r-- | README | 128 |
1 files changed, 126 insertions, 2 deletions
@@ -73,12 +73,132 @@ from using single-DES cryptosystems. Among these is a configuration variable that enables "weak" enctypes, which defaults to "false" beginning with krb5-1.8. -Major changes in 1.14 +Major changes in 1.15 --------------------- -krb5-1.14 changes by ticket ID +Administrator experience: + +* Add support to kadmin for remote extraction of current keys without + changing them (requires a special kadmin permission that is excluded + from the wildcard permission), with the exception of highly + protected keys. + +* Add a lockdown_keys principal attribute to prevent retrieval of the + principal's keys (old or new) via the kadmin protocol. In newly + created databases, this attribute is set on the krbtgt and kadmin + principals. + +* Restore recursive dump capability for DB2 back end, so sites can + more easily recover from database corruption resulting from power + failure events. + +* Add DNS auto-discovery of KDC and kpasswd servers from URI records, + in addition to SRV records. URI records can convey TCP and UDP + servers and master KDC status in a single DNS lookup, and can also + point to HTTPS proxy servers. + +* Add support for password history to the LDAP back end. + +* Add support for principal renaming to the LDAP back end. + +* Use the getrandom system call on supported Linux kernels to avoid + blocking problems when getting entropy from the operating system. + +Code quality: + +* Clean up numerous compilation warnings. + +* Remove various infrequently built modules, including some preauth + modules that were not built by default. + +Developer experience: + +* Add support for building with OpenSSL 1.1. + +* Use SHA-256 instead of MD5 for (non-cryptographic) hashing of + authenticators in the replay cache. This helps sites that must + build with FIPS 140 conformant libraries that lack MD5. + +Protocol evolution: + +* Add support for the AES-SHA2 enctypes, which allows sites to conform + to Suite B crypto requirements. + +krb5-1.15 changes by ticket ID ------------------------------ +5889 password history doesn't work with LDAP KDB +6666 some non-default plugin directories don't build in 1.8 branch +7852 kadmin.local's ktadd -norandkey does not handle multiple kvnos + in the KDB +7985 Add krb5_get_init_creds_opt_set_pac_request +8065 Renaming principals with LDAP KDB deletes the principal +8277 iprop can choose wrong realm +8278 Add krb5_expand_hostname() API +8280 Fix impersonate_name to work with interposers +8295 kdb5_ldap_stash_service_password() stash file logic needs tweaking +8297 jsonwalker.py test fails +8298 Audit Test fails when system has IPV6 address +8299 Remove util/reconf +8329 Only run export-check.pl in maintainer mode +8344 Create KDC and kadmind log files with mode 0640 +8345 Remove nss libk5crypto implementation +8348 Remove workaround when binding to udp addresses and pktinfo + isn't supported by the system +8353 Replace MD5 use in rcache with SHA-256 +8354 Only store latest keys in key history entry +8355 Add kadm5_setkey_principal_4 RPC to kadmin +8364 Add get_principal_keys RPC to kadmin +8365 Add the ability to lock down principal keys +8366 Increase initial DNS buffer size +8368 Remove hdb KDB module +8371 Improve libkadm5 client RPC thread safety +8372 Use cached S4U2Proxy tickets in GSSAPI +8374 Interoperate with incomplete SPNEGO responses +8375 Allow zero cksumtype in krb5_k_verify_checksum() +8379 Add auth indicator handling to libkdb_ldap +8381 Don't fall back to master on password read error +8386 Add KDC pre-send and post-receive KDC hooks +8388 Remove port 750 from the KDC default ports +8389 Make profile includedir accept all *.conf files +8391 Add kinit long option support for all platforms +8393 Password Expiration "Never" Inconsistently Applied +8394 Add debug message filtering to krb5_klog_syslog +8396 Skip password prompt when running ksu as root +8398 Add libk5crypto support for OpenSSL 1.1.0 +8399 Unconstify some krb5 GSS OIDs +8404 Remove non-DFSG documentation +8405 Work around python-ldap bug in kerberos.ldif +8412 Link correct VS2015 C libraries for debug builds +8414 Use library malloc for principal, policy entries +8418 Add libkdb function to specialize principal's salt +8419 Do not indicate deprecated GSS mechanisms +8423 Add SPNEGO special case for NTLMSSP+MechListMIC +8425 Add auth-indicator authdata module +8426 test_check_allowed_to_delegate() should free unparsed princ output +8428 Minimize timing leaks in PKINIT decryption +8429 Fix Makefile for paths containing '+' character +8434 Fix memory leak in old gssrpc authentication +8436 Update libev sources to 4.22 +8446 Fix leak in key change operations +8451 Add hints for -A flag to kdestroy +8456 Add the kprop-port option to kadmind +8462 Better handle failures to resolve client keytab +8464 Set prompt type for OTP preauth prompt +8465 Improve bad password inference in kinit +8466 Rename k5-queue.h macros +8471 Change KDC error for encrypted timestamp preauth +8476 Restore recursive dump functionality +8478 usability improvements for bttest +8488 Stop generating doc/CHANGES +8490 Add aes-sha2 enctype support +8494 Add krb5_db_register_keytab() +8496 Add KDC discovery from URI records +8499 Use getrandom system call on recent Linux kernels +8502 ret_boolean in profile_get_boolean() should be krb5_boolean * + instead of int * + + Acknowledgements ---------------- @@ -198,6 +318,7 @@ reports, suggestions, and valuable resources: Ravi Channavajhala Srinivas Cheruku Leonardo Chiquitto + Seemant Choudhary Howard Chu Andrea Cirulli Christopher D. Clausen @@ -252,6 +373,8 @@ reports, suggestions, and valuable resources: Jeffrey Hutzelman Wyllys Ingersoll Holger Isenberg + Spencer Jackson + Diogenes S. Jesus Pavel Jindra Joel Johnson Anders Kaseorg @@ -300,6 +423,7 @@ reports, suggestions, and valuable resources: Robert Relyea Martin Rex Jason Rogers + Matt Rogers Nate Rosenblum Solly Ross Mike Roszkowski |