#13127 closed enhancement (fixed)

krb5-1.18

Reported by: Bruce Dubbs Owned by: Douglas R. Reno
Priority: normal Milestone: 9.1
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New minor version.

Change History (3)

comment:1 by Douglas R. Reno, 18 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 17 months ago

 Kerberos 5 Release 1.18 is now available

The MIT Kerberos Team announces the availability of the krb5-1.18 release. The detached PGP signature is available without going through the download page, if you wish to verify the authenticity of a distribution you have obtained elsewhere.

Please see the README file for a more complete list of changes.

You may also see the current full list of fixed bugs tracked in our RT bugtracking system.
DES no longer supported

Beginning with the krb5-1.18 release, single-DES encryption types are no longer supported.
Major changes in 1.18 (2020-02-12)

Administrator experience

        Remove support for single-DES encryption types.
        Change the replay cache format to be more efficient and robust. Replay cache filenames using the new format end with ".rcache2" by default.
        setuid programs will automatically ignore environment variables that normally affect krb5 API functions, even if the caller does not use krb5_init_secure_context().
        Add an "enforce_ok_as_delegate" krb5.conf relation to disable credential forwarding during GSSAPI authentication unless the KDC sets the ok-as-delegate bit in the service ticket.
        Use the permitted_enctypes krb5.conf setting as the default value for default_tkt_enctypes and default_tgs_enctypes. 

Developer experience

        Implement krb5_cc_remove_cred() for all credential cache types.
        Add the krb5_pac_get_client_info() API to get the client account name from a PAC. 

Protocol evolution

        Add KDC support for S4U2Self requests where the user is identified by X.509 certificate. (Requires support for certificate lookup from a third-party KDB module.)
        Remove support for an old ("draft 9") variant of PKINIT.
        Add support for Microsoft NegoEx. (Requires one or more third-party GSS modules implementing NegoEx mechanisms.) 

User experience

        Add support for "dns_canonicalize_hostname=fallback", causing host-based principal names to be tried first without DNS canonicalization, and again with DNS canonicalization if the un-canonicalized server is not found.
        Expand single-component hostnames in host-based principal names when DNS canonicalization is not used, adding the system's first DNS search path as a suffix. Add a "qualify_shortname" krb5.conf relation to override this suffix or disable expansion.
        Honor the transited-policy-checked ticket flag on application servers, eliminating the requirement to configure capaths on servers in some scenarios. 

Code quality

        The libkrb5 serialization code (used to export and import krb5 GSS security contexts) has been simplified and made type-safe.
        The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED messages has been revised to conform to current coding practices.
        The test suite has been modified to work with macOS System Integrity Protection enabled.
        The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support can always be tested. 

comment:3 by Douglas R. Reno, 17 months ago

Resolution: fixed
Status: assignedclosed

Fixed at r22716

Note: See TracTickets for help on using tickets.