Opened 5 years ago

Closed 5 years ago

#10118 closed enhancement (fixed)

krb5-1.16

Reported by: bdubbs@… Owned by: bdubbs@…
Priority: normal Milestone: 8.2
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New minor version.

Change History (3)

comment:1 by bdubbs@…, 5 years ago

Owner: changed from blfs-book@… to bdubbs@…
Status: newassigned

comment:2 by bdubbs@…, 5 years ago

Major changes in 1.16 (2017-12-05)

Administrator experience

  • The KDC can match PKINIT client certificates against the "pkinit_cert_match" string attribute on the client principal entry, using the same syntax as the existing "pkinit_cert_match" profile option.
  • The ktutil addent command supports the "-k 0" option to ignore the key version, and the "-s" option to use a non-default salt string.
  • kpropd supports a --pid-file option to write a pid file at startup, when it is run in standalone mode.
  • The "encrypted_challenge_indicator" realm option can be used to attach an authentication indicator to tickets obtained using FAST encrypted challenge pre-authentication.
  • Localization support can be disabled at build time with the --disable-nls configure option.

Developer experience

  • The kdcpolicy pluggable interface allows modules control whether tickets are issued by the KDC.
  • The kadm5_auth pluggable interface allows modules to control whether kadmind grants access to a kadmin request.
  • The certauth pluggable interface allows modules to control which PKINIT client certificates can authenticate to which client principals.
  • KDB modules can use the client and KDC interface IP addresses to determine whether to allow an AS request.
  • GSS applications can query the bit strength of a krb5 GSS context using the GSS_C_SEC_CONTEXT_SASL_SSF OID with gss_inquire_sec_context_by_oid().
  • GSS applications can query the impersonator name of a krb5 GSS credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with gss_inquire_cred_by_oid().
  • kdcpreauth modules can query the KDC for the canonicalized requested client principal name, or match a principal name against the requested client principal name with canonicalization.

Protocol evolution

  • The client library will continue to try pre-authentication mechanisms after most failure conditions.
  • The KDC will issue trivially renewable tickets (where the renewable lifetime is equal to or less than the ticket lifetime) if requested by the client, to be friendlier to scripts.
  • The client library will use a random nonce for TGS requests instead of the current system time.
  • For the RC4 string-to-key or PAC operations, UTF-16 is supported (previously only UCS-2 was supported).
  • When matching PKINIT client certificates, UPN SANs will be matched correctly as UPNs, with canonicalization.

User experience

  • Dates after the year 2038 are accepted (provided that the platform time facilities support them), through the year 2106.
  • Automatic credential cache selection based on the client realm will take into account the fallback realm and the service hostname.
  • Referral and alternate cross-realm TGTs will not be cached, avoiding some scenarios where they can be added to the credential cache multiple times.
  • A German translation has been added.

Code quality

  • The build is warning-clean under clang with the configured warning options.
  • The automated test suite runs cleanly under AddressSanitizer.

comment:3 by bdubbs@…, 5 years ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 19621.

Note: See TracTickets for help on using tickets.