From 49d6ae210d3b376f3263b171709e75fd74b9dd8b Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 13 Apr 2023 12:27:03 -0400 Subject: Update features list for 1.21 --- doc/mitK5features.rst | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst index ca2d6ef..10effcf 100644 --- a/doc/mitK5features.rst +++ b/doc/mitK5features.rst @@ -642,6 +642,48 @@ Release 1.20 - Converted the remaining Tcl tests to Python. +Release 1.21 + +* User experience: + + - Added a credential cache type providing compatibility with the + macOS 11 native credential cache. + +* Developer experience: + + - libkadm5 will use the provided krb5_context object to read + configuration values, instead of creating its own. + + - Added an interface to retrieve the ticket session key from a GSS + context. + +* Protocol evolution: + + - The KDC will no longer issue tickets with RC4 or triple-DES + session keys unless explicitly configured with the new allow_rc4 + or allow_des3 variables respectively. + + - The KDC will assume that all services can handle aes256-sha1 + session keys unless the service principal has a session_enctypes + string attribute. + + - Support for PAC full KDC checksums has been added to mitigate an + S4U2Proxy privilege escalation attack. + + - The PKINIT client will advertise a more modern set of supported + CMS algorithms. + +* Code quality: + + - Removed unused code in libkrb5, libkrb5support, and the PKINIT + module. + + - Modernized the KDC code for processing TGS requests, the code for + encrypting and decrypting key data, the PAC handling code, and the + GSS library packet parsing and composition code. + + - Improved the test framework's detection of memory errors in daemon + processes when used with asan. `Pre-authentication mechanisms` -- cgit v1.1