Update README for krb5-1.17

author: Greg Hudson <ghudson@mit.edu> 2018-10-30 13:54:33 -0400
committer: Greg Hudson <ghudson@mit.edu> 2018-10-30 13:54:33 -0400
commit: 69fd5fb1f44569d597ed425697707a193a287a2a (patch)
tree: 8a5d7206b600074a1ba0ccd5d5f77d54510adf1b /README
parent: 3c971278c4d79037e0349d103499f5d47ae0a8c2 (diff)
download: krb5-69fd5fb1f44569d597ed425697707a193a287a2a.zip
krb5-69fd5fb1f44569d597ed425697707a193a287a2a.tar.gz
krb5-69fd5fb1f44569d597ed425697707a193a287a2a.tar.bz2
1 files changed, 185 insertions, 0 deletions
diff --git a/README b/README
index 6b68f41..b5432eb 100644
--- a/README
+++ b/README
@@ -76,9 +76,177 @@ beginning with krb5-1.8.
 Major changes in 1.17
 ---------------------
 
+Administrator experience:
+
+* A new Kerberos database module using the Lightning Memory-Mapped
+  Database library (LMDB) has been added.  The LMDB KDB module should
+  be more performant and more robust than the DB2 module, and may
+  become the default module for new databases in a future release.
+
+* "kdb5_util dump" will no longer dump policy entries when specific
+  principal names are requested.
+
+Developer experience:
+
+* The new krb5_get_etype_info() API can be used to retrieve enctype,
+  salt, and string-to-key parameters from the KDC for a client
+  principal.
+
+* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
+  principal names to be used with GSS-API functions.
+
+* KDC and kadmind modules which call com_err() will now write to the
+  log file in a format more consistent with other log messages.
+
+* Programs which use large numbers of memory credential caches should
+  perform better.
+
+Protocol evolution:
+
+* The SPAKE pre-authentication mechanism is now supported.  This
+  mechanism protects against password dictionary attacks without
+  requiring any additional infrastructure such as certificates.  SPAKE
+  is enabled by default on clients, but must be manually enabled on
+  the KDC for this release.
+
+* PKINIT freshness tokens are now supported.  Freshness tokens can
+  protect against scenarios where an attacker uses temporary access to
+  a smart card to generate authentication requests for the future.
+
+* Password change operations now prefer TCP over UDP, to avoid
+  spurious error messages about replays when a response packet is
+  dropped.
+
+* The KDC now supports cross-realm S4U2Self requests when used with a
+  third-party KDB module such as Samba's.  The client code for
+  cross-realm S4U2Self requests is also now more robust.
+
+User experience:
+
+* The new ktutil addent -f flag can be used to fetch salt information
+  from the KDC for password-based keys.
+
+* The new kdestroy -p option can be used to destroy a credential cache
+  within a collection by client principal name.
+
+* The Kerberos man page has been restored, and documents the
+  environment variables that affect programs using the Kerberos
+  library.
+
+Code quality:
+
+* Python test scripts now use Python 3.
+
+* Python test scripts now display markers in verbose output, making it
+  easier to find where a failure occurred within the scripts.
+
+* The Windows build system has been simplified and updated to work
+  with more recent versions of Visual Studio.  A large volume of
+  unused Windows-specific code has been removed.  Visual Studio 2013
+  or later is now required.
+
 krb5-1.17 changes by ticket ID
 ------------------------------
 
+7905    Password changes can result in replay error
+8202    memory ccache cursors are invalidated by initialize
+8270    No logging when a non-root ksu with command fails authorization
+8587    ktutil addent should be able to fetch etype-info2 for principal
+8629    etype-info not included in hint list for REQUIRES_HW_AUTH principals
+8630    Logging from KDC/kadmind plugin modules
+8634    Trace log on k5tls load failure
+8635    Fix a few German translation prepositions
+8636    PKINIT certid option cannot handle leading zero
+8641    Make public headers work with gcc -Wundef
+8642    etype-info conflated for initial, final reply key enctype
+8647    Add SPAKE preauth support
+8648    Implement PKINIT freshness tokens
+8650    Exit with status 0 from kadmind
+8651    profile library may try to reread from special device files
+8652    Report extended errors in kinit -k -t KDB:
+8653    Include preauth name in trace output if possible
+8654    Prevent fallback from SPAKE to encrypted timestamp
+8655    Need per-realm client configuration to deny encrypted timestamp
+8657    SPAKE support for Windows build
+8659    SPAKE client asks for password before checking second-factor support
+8661    ksu segfaults when argc == 0
+8662    Windows README does not document MFC requirement
+8663    TLS is not free on library unload
+8664    Avoid simultaneous KDB/ulog locks in ulog_replay
+8665    Display more extended errors in kdb5_util
+8673    Improve error for kadmind -proponly without iprop
+8674    Add LMDB KDB module
+8677    Escape curly braces in def-check.pl regexes
+8678    Don't specify MFC library in Leash build
+8679    Fix Leash build error with recent Visual Studio
+8680    Update kfw installer for VS2017, WiX 3.11.1
+8682    Stop building CNS for Windows
+8684    Fix option parsing on Windows
+8685    Make plugin auto-registration work on Windows
+8686    Process profile includedir in sorted order
+8687    Repeated lookups of local computer name on Windows
+8689    t_path.c build failure with NDEBUG
+8690    Fix Windows strerror_r() implementation
+8691    Use pkg.m4 macros
+8692    Make docs build python3-compatible
+8693    Resource leak in domain_fallback_realm()
+8694    Add documentation on dictionary attacks
+8695    Resource leak in krb5_524_conv_principal()
+8696    Resource leak in krb5_425_conv_principal()
+8697    Resource leak in krb5_gss_inquire_cred()
+8698    Resource leak in aname_replacer()
+8699    Resource leak in k5_os_hostaddr()
+8700    Resource leak in krb5int_get_fq_local_hostname()
+8702    Resource leak in kdb5_purge_mkeys()
+8703    Resource leak in RPC UDP cache code
+8704    Resource leak in read_secret_file()
+8707    Resource leak in ulog_map()
+8708    Incorrect error handling in OTP plugin
+8709    Explicitly look for python2 in configure.in
+8710    Convert Python tests to Python 3
+8711    Use SHA-256 instead of MD5 for audit ticket IDs
+8713    Zap copy of secret in RC4 string-to-key
+8715    Make krb5kdc -p affect TCP ports
+8716    Remove outdated note in krb5kdc man page
+8718    krb5_get_credentials incorrectly matches user to user ticket
+8719    Extend gss-sample timeout from 10s to 300s
+8720    Don't include all MEMORY ccaches in collection
+8721    Don't tag S4U2Proxy result creds as user-to-user
+8722    Use a hash table for MEMORY ccache resolution
+8723    Use PTHREAD_CFLAGS when testing for getpwnam_r()
+8724    Add kdestroy -p option
+8725    Update many documentation links to https
+8726    Null deref on some invalid PKINIT identities
+8727    Check strdup return in kadm5_get_config_params()
+8728    doc: kswitch manual "see also" subsection typo
+8729    Memory leak in gss_add_cred() creation case
+8730    Add kvno option for user-to-user
+8731    Document that DESTDIR must be an absolute path
+8732    Fix name of .pdb file in ccapi/test/Makefile.in
+8733    Multiple pkinit_identities semantics are unclear and perhaps not useful
+8734    gss_add_cred() aliases memory when creating extended cred
+8736    Check mech cred in gss_inquire_cred_by_mech()
+8737    gss_add_cred() ignores desired_name if creating a new credential
+8738    Use the term "replica KDC" in source and docs
+8741    S4U2Self client code fails with no default realm
+8742    Use "replica" in iprop settings
+8743    Fix incorrect TRACE usages to use {str}
+8745    libss without readline can interfere with reading passwords
+8746    Fix 64-bit Windows socket write error handling
+8747    Allow referrals for cross-realm S4U2Self requests
+8748    Add more constraints to S4U2Self processing
+8749    Add PAC APIs which can include a client realm
+8750    Resource leak in ktutil_add()
+8751    Fix up kdb5_util documentation
+8752    Don't dump policies if principals are specified
+8753    Prevent SIGPIPE from socket writes on UNIX-likes
+8754    Correct kpasswd_server description in krb5.conf(5)
+8755    Bring back general kerberos man page
+8756    Add GSS_KRB5_NT_ENTERPRISE_NAME name type
+8757    Start S4U2Self realm lookup at server realm
+8759    Resource leak in kadm5_randkey_principal_3()
+8760    Retry KCM writes once on remote hangup
+
 Acknowledgements
 ----------------
 
@@ -178,6 +346,7 @@ reports, suggestions, and valuable resources:
     Russell Allbery
     Brian Almeida
     Michael B Allen
+    Pooja Anil
     Heinz-Ado Arnolds
     Derek Atkins
     Mark Bannister
@@ -197,6 +366,7 @@ reports, suggestions, and valuable resources:
     Michael Calmer
     Andrea Campi
     Julien Chaffraix
+    Puran Chand
     Ravi Channavajhala
     Srinivas Cheruku
     Leonardo Chiquitto
@@ -233,15 +403,18 @@ reports, suggestions, and valuable resources:
     JC Ferguson
     Remi Ferrand
     Paul Fertser
+    Fabiano Fidêncio
     William Fiveash
     Jacques Florent
     Ákos Frohner
     Sebastian Galiano
     Marcus Granado
+    Dylan Gray
     Scott Grizzard
     Helmut Grohne
     Steve Grubb
     Philip Guenther
+    Timo Gurr
     Dominic Hargreaves
     Robbie Harwood
     John Hascall
@@ -258,6 +431,7 @@ reports, suggestions, and valuable resources:
     Jakub Hrozek
     Shumon Huque
     Jeffrey Hutzelman
+    Sergey Ilinykh
     Wyllys Ingersoll
     Holger Isenberg
     Spencer Jackson
@@ -267,11 +441,13 @@ reports, suggestions, and valuable resources:
     Joel Johnson
     Alexander Karaivanov
     Anders Kaseorg
+    Bar Katz
     Zentaro Kavanagh
     Mubashir Kazia
     W. Trevor King
     Patrik Kis
     Martin Kittel
+    Matthew Krupcale
     Mikkel Kruse
     Reinhard Kugler
     Tomas Kuthan
@@ -281,12 +457,15 @@ reports, suggestions, and valuable resources:
     Jan iankko Lieskovsky
     Todd Lipcon
     Oliver Loch
+    Chris Long
     Kevin Longfellow
     Frank Lonigro
     Jon Looney
     Nuno Lopes
+    Todd Lubin
     Ryan Lynch
     Roland Mainz
+    Sorin Manolache
     Andrei Maslennikov
     Michael Mattioli
     Nathaniel McCallum
@@ -309,15 +488,18 @@ reports, suggestions, and valuable resources:
     Javier Palacios
     Tom Parker
     Ezra Peisach
+    Alejandro Perez
     Zoran Pericic
     W. Michael Petullo
     Mark Phalan
+    Sharwan Ram
     Brett Randall
     Jonathan Reams
     Jonathan Reed
     Robert Relyea
     Tony Reix
     Martin Rex
+    Pat Riehecky
     Jason Rogers
     Matt Rogers
     Nate Rosenblum
@@ -326,6 +508,7 @@ reports, suggestions, and valuable resources:
     Guillaume Rousse
     Joshua Schaeffer
     Andreas Schneider
+    Paul Seyfert
     Tom Shaw
     Jim Shi
     Peter Shoults
@@ -345,6 +528,7 @@ reports, suggestions, and valuable resources:
     John Washington
     Stef Walter
     Xi Wang
+    Nehal J Wani
     Kevin Wasserman
     Margaret Wasserman
     Marcus Watts
@@ -359,6 +543,7 @@ reports, suggestions, and valuable resources:
     Neng Xue
     Zhaomo Yang
     Nickolai Zeldovich
+    Bean Zhang
     Hanz van Zijst
     Gertjan Zwartjes
author	Greg Hudson <ghudson@mit.edu>	2018-10-30 13:54:33 -0400
committer	Greg Hudson <ghudson@mit.edu>	2018-10-30 13:54:33 -0400
commit	69fd5fb1f44569d597ed425697707a193a287a2a (patch)
tree	8a5d7206b600074a1ba0ccd5d5f77d54510adf1b /README
parent	3c971278c4d79037e0349d103499f5d47ae0a8c2 (diff)
download	krb5-69fd5fb1f44569d597ed425697707a193a287a2a.zip krb5-69fd5fb1f44569d597ed425697707a193a287a2a.tar.gz krb5-69fd5fb1f44569d597ed425697707a193a287a2a.tar.bz2