From 69fd5fb1f44569d597ed425697707a193a287a2a Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 30 Oct 2018 13:54:33 -0400 Subject: Update README for krb5-1.17 --- README | 185 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 185 insertions(+) (limited to 'README') diff --git a/README b/README index 6b68f41..b5432eb 100644 --- a/README +++ b/README @@ -76,9 +76,177 @@ beginning with krb5-1.8. Major changes in 1.17 --------------------- +Administrator experience: + +* A new Kerberos database module using the Lightning Memory-Mapped + Database library (LMDB) has been added. The LMDB KDB module should + be more performant and more robust than the DB2 module, and may + become the default module for new databases in a future release. + +* "kdb5_util dump" will no longer dump policy entries when specific + principal names are requested. + +Developer experience: + +* The new krb5_get_etype_info() API can be used to retrieve enctype, + salt, and string-to-key parameters from the KDC for a client + principal. + +* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise + principal names to be used with GSS-API functions. + +* KDC and kadmind modules which call com_err() will now write to the + log file in a format more consistent with other log messages. + +* Programs which use large numbers of memory credential caches should + perform better. + +Protocol evolution: + +* The SPAKE pre-authentication mechanism is now supported. This + mechanism protects against password dictionary attacks without + requiring any additional infrastructure such as certificates. SPAKE + is enabled by default on clients, but must be manually enabled on + the KDC for this release. + +* PKINIT freshness tokens are now supported. Freshness tokens can + protect against scenarios where an attacker uses temporary access to + a smart card to generate authentication requests for the future. + +* Password change operations now prefer TCP over UDP, to avoid + spurious error messages about replays when a response packet is + dropped. + +* The KDC now supports cross-realm S4U2Self requests when used with a + third-party KDB module such as Samba's. The client code for + cross-realm S4U2Self requests is also now more robust. + +User experience: + +* The new ktutil addent -f flag can be used to fetch salt information + from the KDC for password-based keys. + +* The new kdestroy -p option can be used to destroy a credential cache + within a collection by client principal name. + +* The Kerberos man page has been restored, and documents the + environment variables that affect programs using the Kerberos + library. + +Code quality: + +* Python test scripts now use Python 3. + +* Python test scripts now display markers in verbose output, making it + easier to find where a failure occurred within the scripts. + +* The Windows build system has been simplified and updated to work + with more recent versions of Visual Studio. A large volume of + unused Windows-specific code has been removed. Visual Studio 2013 + or later is now required. + krb5-1.17 changes by ticket ID ------------------------------ +7905 Password changes can result in replay error +8202 memory ccache cursors are invalidated by initialize +8270 No logging when a non-root ksu with command fails authorization +8587 ktutil addent should be able to fetch etype-info2 for principal +8629 etype-info not included in hint list for REQUIRES_HW_AUTH principals +8630 Logging from KDC/kadmind plugin modules +8634 Trace log on k5tls load failure +8635 Fix a few German translation prepositions +8636 PKINIT certid option cannot handle leading zero +8641 Make public headers work with gcc -Wundef +8642 etype-info conflated for initial, final reply key enctype +8647 Add SPAKE preauth support +8648 Implement PKINIT freshness tokens +8650 Exit with status 0 from kadmind +8651 profile library may try to reread from special device files +8652 Report extended errors in kinit -k -t KDB: +8653 Include preauth name in trace output if possible +8654 Prevent fallback from SPAKE to encrypted timestamp +8655 Need per-realm client configuration to deny encrypted timestamp +8657 SPAKE support for Windows build +8659 SPAKE client asks for password before checking second-factor support +8661 ksu segfaults when argc == 0 +8662 Windows README does not document MFC requirement +8663 TLS is not free on library unload +8664 Avoid simultaneous KDB/ulog locks in ulog_replay +8665 Display more extended errors in kdb5_util +8673 Improve error for kadmind -proponly without iprop +8674 Add LMDB KDB module +8677 Escape curly braces in def-check.pl regexes +8678 Don't specify MFC library in Leash build +8679 Fix Leash build error with recent Visual Studio +8680 Update kfw installer for VS2017, WiX 3.11.1 +8682 Stop building CNS for Windows +8684 Fix option parsing on Windows +8685 Make plugin auto-registration work on Windows +8686 Process profile includedir in sorted order +8687 Repeated lookups of local computer name on Windows +8689 t_path.c build failure with NDEBUG +8690 Fix Windows strerror_r() implementation +8691 Use pkg.m4 macros +8692 Make docs build python3-compatible +8693 Resource leak in domain_fallback_realm() +8694 Add documentation on dictionary attacks +8695 Resource leak in krb5_524_conv_principal() +8696 Resource leak in krb5_425_conv_principal() +8697 Resource leak in krb5_gss_inquire_cred() +8698 Resource leak in aname_replacer() +8699 Resource leak in k5_os_hostaddr() +8700 Resource leak in krb5int_get_fq_local_hostname() +8702 Resource leak in kdb5_purge_mkeys() +8703 Resource leak in RPC UDP cache code +8704 Resource leak in read_secret_file() +8707 Resource leak in ulog_map() +8708 Incorrect error handling in OTP plugin +8709 Explicitly look for python2 in configure.in +8710 Convert Python tests to Python 3 +8711 Use SHA-256 instead of MD5 for audit ticket IDs +8713 Zap copy of secret in RC4 string-to-key +8715 Make krb5kdc -p affect TCP ports +8716 Remove outdated note in krb5kdc man page +8718 krb5_get_credentials incorrectly matches user to user ticket +8719 Extend gss-sample timeout from 10s to 300s +8720 Don't include all MEMORY ccaches in collection +8721 Don't tag S4U2Proxy result creds as user-to-user +8722 Use a hash table for MEMORY ccache resolution +8723 Use PTHREAD_CFLAGS when testing for getpwnam_r() +8724 Add kdestroy -p option +8725 Update many documentation links to https +8726 Null deref on some invalid PKINIT identities +8727 Check strdup return in kadm5_get_config_params() +8728 doc: kswitch manual "see also" subsection typo +8729 Memory leak in gss_add_cred() creation case +8730 Add kvno option for user-to-user +8731 Document that DESTDIR must be an absolute path +8732 Fix name of .pdb file in ccapi/test/Makefile.in +8733 Multiple pkinit_identities semantics are unclear and perhaps not useful +8734 gss_add_cred() aliases memory when creating extended cred +8736 Check mech cred in gss_inquire_cred_by_mech() +8737 gss_add_cred() ignores desired_name if creating a new credential +8738 Use the term "replica KDC" in source and docs +8741 S4U2Self client code fails with no default realm +8742 Use "replica" in iprop settings +8743 Fix incorrect TRACE usages to use {str} +8745 libss without readline can interfere with reading passwords +8746 Fix 64-bit Windows socket write error handling +8747 Allow referrals for cross-realm S4U2Self requests +8748 Add more constraints to S4U2Self processing +8749 Add PAC APIs which can include a client realm +8750 Resource leak in ktutil_add() +8751 Fix up kdb5_util documentation +8752 Don't dump policies if principals are specified +8753 Prevent SIGPIPE from socket writes on UNIX-likes +8754 Correct kpasswd_server description in krb5.conf(5) +8755 Bring back general kerberos man page +8756 Add GSS_KRB5_NT_ENTERPRISE_NAME name type +8757 Start S4U2Self realm lookup at server realm +8759 Resource leak in kadm5_randkey_principal_3() +8760 Retry KCM writes once on remote hangup + Acknowledgements ---------------- @@ -178,6 +346,7 @@ reports, suggestions, and valuable resources: Russell Allbery Brian Almeida Michael B Allen + Pooja Anil Heinz-Ado Arnolds Derek Atkins Mark Bannister @@ -197,6 +366,7 @@ reports, suggestions, and valuable resources: Michael Calmer Andrea Campi Julien Chaffraix + Puran Chand Ravi Channavajhala Srinivas Cheruku Leonardo Chiquitto @@ -233,15 +403,18 @@ reports, suggestions, and valuable resources: JC Ferguson Remi Ferrand Paul Fertser + Fabiano Fidêncio William Fiveash Jacques Florent Ákos Frohner Sebastian Galiano Marcus Granado + Dylan Gray Scott Grizzard Helmut Grohne Steve Grubb Philip Guenther + Timo Gurr Dominic Hargreaves Robbie Harwood John Hascall @@ -258,6 +431,7 @@ reports, suggestions, and valuable resources: Jakub Hrozek Shumon Huque Jeffrey Hutzelman + Sergey Ilinykh Wyllys Ingersoll Holger Isenberg Spencer Jackson @@ -267,11 +441,13 @@ reports, suggestions, and valuable resources: Joel Johnson Alexander Karaivanov Anders Kaseorg + Bar Katz Zentaro Kavanagh Mubashir Kazia W. Trevor King Patrik Kis Martin Kittel + Matthew Krupcale Mikkel Kruse Reinhard Kugler Tomas Kuthan @@ -281,12 +457,15 @@ reports, suggestions, and valuable resources: Jan iankko Lieskovsky Todd Lipcon Oliver Loch + Chris Long Kevin Longfellow Frank Lonigro Jon Looney Nuno Lopes + Todd Lubin Ryan Lynch Roland Mainz + Sorin Manolache Andrei Maslennikov Michael Mattioli Nathaniel McCallum @@ -309,15 +488,18 @@ reports, suggestions, and valuable resources: Javier Palacios Tom Parker Ezra Peisach + Alejandro Perez Zoran Pericic W. Michael Petullo Mark Phalan + Sharwan Ram Brett Randall Jonathan Reams Jonathan Reed Robert Relyea Tony Reix Martin Rex + Pat Riehecky Jason Rogers Matt Rogers Nate Rosenblum @@ -326,6 +508,7 @@ reports, suggestions, and valuable resources: Guillaume Rousse Joshua Schaeffer Andreas Schneider + Paul Seyfert Tom Shaw Jim Shi Peter Shoults @@ -345,6 +528,7 @@ reports, suggestions, and valuable resources: John Washington Stef Walter Xi Wang + Nehal J Wani Kevin Wasserman Margaret Wasserman Marcus Watts @@ -359,6 +543,7 @@ reports, suggestions, and valuable resources: Neng Xue Zhaomo Yang Nickolai Zeldovich + Bean Zhang Hanz van Zijst Gertjan Zwartjes -- cgit v1.1