Opened 4 years ago
Closed 4 years ago
#13127 closed enhancement (fixed)
krb5-1.18
| Reported by: | Bruce Dubbs | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | normal | Milestone: | 9.1 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New minor version.
Change History (3)
comment:1 by , 4 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 4 years ago
Note:
See TracTickets
for help on using tickets.
Kerberos 5 Release 1.18 is now available The MIT Kerberos Team announces the availability of the krb5-1.18 release. The detached PGP signature is available without going through the download page, if you wish to verify the authenticity of a distribution you have obtained elsewhere. Please see the README file for a more complete list of changes. You may also see the current full list of fixed bugs tracked in our RT bugtracking system. DES no longer supported Beginning with the krb5-1.18 release, single-DES encryption types are no longer supported. Major changes in 1.18 (2020-02-12) Administrator experience Remove support for single-DES encryption types. Change the replay cache format to be more efficient and robust. Replay cache filenames using the new format end with ".rcache2" by default. setuid programs will automatically ignore environment variables that normally affect krb5 API functions, even if the caller does not use krb5_init_secure_context(). Add an "enforce_ok_as_delegate" krb5.conf relation to disable credential forwarding during GSSAPI authentication unless the KDC sets the ok-as-delegate bit in the service ticket. Use the permitted_enctypes krb5.conf setting as the default value for default_tkt_enctypes and default_tgs_enctypes. Developer experience Implement krb5_cc_remove_cred() for all credential cache types. Add the krb5_pac_get_client_info() API to get the client account name from a PAC. Protocol evolution Add KDC support for S4U2Self requests where the user is identified by X.509 certificate. (Requires support for certificate lookup from a third-party KDB module.) Remove support for an old ("draft 9") variant of PKINIT. Add support for Microsoft NegoEx. (Requires one or more third-party GSS modules implementing NegoEx mechanisms.) User experience Add support for "dns_canonicalize_hostname=fallback", causing host-based principal names to be tried first without DNS canonicalization, and again with DNS canonicalization if the un-canonicalized server is not found. Expand single-component hostnames in host-based principal names when DNS canonicalization is not used, adding the system's first DNS search path as a suffix. Add a "qualify_shortname" krb5.conf relation to override this suffix or disable expansion. Honor the transited-policy-checked ticket flag on application servers, eliminating the requirement to configure capaths on servers in some scenarios. Code quality The libkrb5 serialization code (used to export and import krb5 GSS security contexts) has been simplified and made type-safe. The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED messages has been revised to conform to current coding practices. The test suite has been modified to work with macOS System Integrity Protection enabled. The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support can always be tested.