diff options
author | Greg Hudson <ghudson@mit.edu> | 2020-01-08 14:40:08 -0500 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2020-01-08 14:40:08 -0500 |
commit | 835fe85173ee8fb5b0c27bb44c9a171f8d151dc9 (patch) | |
tree | a20f641badf89781108e857ec262ea142b3032e3 | |
parent | 92eceaf26ed68c0526d0cddb4338fae6cd143ba4 (diff) | |
download | krb5-835fe85173ee8fb5b0c27bb44c9a171f8d151dc9.zip krb5-835fe85173ee8fb5b0c27bb44c9a171f8d151dc9.tar.gz krb5-835fe85173ee8fb5b0c27bb44c9a171f8d151dc9.tar.bz2 |
Update README for krb5-1.18
-rw-r--r-- | README | 127 |
1 files changed, 127 insertions, 0 deletions
@@ -76,9 +76,126 @@ beginning with krb5-1.8. Major changes in 1.18 --------------------- +Administrator experience: + +* Remove support for single-DES encryption types. + +* Change the replay cache format to be more efficient and robust. + Replay cache filenames using the new format end with ".rcache2" by + default. + +* setuid programs will automatically ignore environment variables that + normally affect krb5 API functions, even if the caller does not use + krb5_init_secure_context(). + +* Add an "enforce_ok_as_delegate" krb5.conf relation to disable + credential forwarding during GSSAPI authentication unless the KDC + sets the ok-as-delegate bit in the service ticket. + +Developer experience: + +* Implement krb5_cc_remove_cred() for all credential cache types. + +* Add the krb5_pac_get_client_info() API to get the client account + name from a PAC. + +Protocol evolution: + +* Add KDC support for S4U2Self requests where the user is identified + by X.509 certificate. (Requires support for certificate lookup from + a third-party KDB module.) + +* Remove support for an old ("draft 9") variant of PKINIT. + +* Add support for Microsoft NegoEx. (Requires one or more third-party + GSS modules implementing NegoEx mechanisms.) + +User experience: + +* Add support for "dns_canonicalize_hostname=fallback""`, causing + host-based principal names to be tried first without DNS + canonicalization, and again with DNS canonicalization if the + un-canonicalized server is not found. + +* Expand single-component hostnames in hhost-based principal names + when DNS canonicalization is not used, adding the system's first DNS + search path as a suffix. Add a "qualify_shortname" krb5.conf + relation to override this suffix or disable expansion. + +Code quality: + +* The libkrb5 serialization code (used to export and import krb5 GSS + security contexts) has been simplified and made type-safe. + +* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED d + messages has been revised to conform to current coding practices. + +* The test suite has been modified to work with macOS System Integrity + Protection enabled. + +* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 + support can always be tested. + krb5-1.18 changes by ticket ID ------------------------------ +5891 kdb_ldap should treat entries with "nsAccountLock: true" as locked +7135 gssapi mechanism glue dlcloses objects potentially after they are already unloaded +7765 Some ccache functions not exported +7871 KDC should not fail requests due to forwardable/proxiable option +8349 use __APPLE_USE_RFC_3542 to get IPV6_PKTINFO on Mac OS X +8761 ksu doesn't allow acquisition of non-forwardable tickets +8764 get_creds can add redundant cache entry for referral ticket +8765 Add dns_canonicalize_hostname=fallback support +8773 Mark deprecated enctypes when used +8775 Process SPNEGO error tokens through mech +8777 S4U2Self with X.509 certificate bugs +8778 Add new kvno protocol transition options +8780 Expand S4U2Self exception in KDC lineage check +8781 Add KDC support for X.509 S4U2Self requests +8784 Use better name type for PKINIT KDC certs +8785 Use memory replay cache for DO_TIME auth contexts +8786 Hash-based replay cache implementation +8788 Rename configure.in to configure.ac +8791 Add option to build without libkeyutils +8792 Implement krb5_cc_remove_cred for remaining types +8793 Remove srvtab support +8794 Remove kadmin RPC support for setting v4 key +8795 configure: chech for libncursesw, if libncurses is not found +8798 Remove ovsec_adm_export dump format support +8799 Check more errors in OpenSSL crypto backend +8800 Add secure_getenv() support +8804 Remove checksum type profile variables +8805 Modernize example enctypes in documentation +8806 kdb5_util errors on command arguments matching command names +8807 Set a more modern default ksu CMD_PATH +8808 Remove single-DES support +8811 In klist, display ticket server if different +8812 Remove support for no-flags SAM-2 preauth +8815 Verify PAC client name independently of name-type +8816 kproplog cannot display LOCKDOWN_KEYS attribute +8817 Remove PKINIT draft 9 support +8819 gss_set_allowable_enctypes() fails if any enctypes aren't recognized +8823 Allow the KDB to see and modify auth indicators +8827 Change definition of KRB5_KDB_FLAG_CROSS_REALM +8828 Add API to get client account name from PAC +8829 Fix authdata signatures for non-TGT AS-REQs +8833 Add environment variable for GSS mech config +8842 Record start time of AS requests earlier in KDC +8843 Allow client canonicalization in non-krbtgt AS-REP +8844 SPNEGO should filter mechs on acceptor with gss_acquire_cred() +8845 SPNEGO init/accept output parameter bugs +8847 Add enforce_ok_as_delegate setting +8849 Install gssapi/gssapi_alloc.h properly +8851 NegoEx +8855 Qualify short hostnames when not using DNS +8856 segfault in krb5-1.17.1/src/lib/krb5/krb/authdata.c +8857 Don't warn in kadmin when no policy is specified +8858 Do not always canonicalize enterprise principals +8859 Remove KRB5_KDB_FLAG_ALIAS_OK +8860 Allow kprop over NATs +8861 Fix LDAP policy enforcement of pw_expiration + Acknowledgements ---------------- @@ -179,6 +296,7 @@ reports, suggestions, and valuable resources: Brian Almeida Michael B Allen Pooja Anil + Jeffrey Arbuckle Heinz-Ado Arnolds Derek Atkins Mark Bannister @@ -189,6 +307,7 @@ reports, suggestions, and valuable resources: Adam Bernstein Arlene Berry Jeff Blaine + Toby Blake Radoslav Bodo Sumit Bose Emmanuel Bouillon @@ -236,6 +355,7 @@ reports, suggestions, and valuable resources: Remi Ferrand Paul Fertser Fabiano Fidêncio + Frank Filz William Fiveash Jacques Florent Ákos Frohner @@ -271,6 +391,7 @@ reports, suggestions, and valuable resources: Pavel Jindra Brian Johannesmeyer Joel Johnson + Lutz Justen Alexander Karaivanov Anders Kaseorg Bar Katz @@ -279,11 +400,13 @@ reports, suggestions, and valuable resources: W. Trevor King Patrik Kis Martin Kittel + Thomas Klausner Matthew Krupcale Mikkel Kruse Reinhard Kugler Tomas Kuthan Pierre Labastie + Andreas Ladanyi Chris Leick Volker Lendecke Jan iankko Lieskovsky @@ -298,6 +421,7 @@ reports, suggestions, and valuable resources: Ryan Lynch Roland Mainz Sorin Manolache + Robert Marshall Andrei Maslennikov Michael Mattioli Nathaniel McCallum @@ -318,7 +442,9 @@ reports, suggestions, and valuable resources: Andrej Ota Dmitri Pal Javier Palacios + Dilyan Palauzov Tom Parker + Eric Pauly Ezra Peisach Alejandro Perez Zoran Pericic @@ -343,6 +469,7 @@ reports, suggestions, and valuable resources: Paul Seyfert Tom Shaw Jim Shi + Jerry Shipman Peter Shoults Richard Silverman Cel Skeggs |