[30682] in CVS-changelog-for-Kerberos-V5
krb5 commit: Update features list for 1.18
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Jan 8 14:20:49 2020
Date: Wed, 8 Jan 2020 14:20:41 -0500
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <202001081920.008JKfSo027660@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/92eceaf26ed68c0526d0cddb4338fae6cd143ba4
commit 92eceaf26ed68c0526d0cddb4338fae6cd143ba4
Author: Greg Hudson <ghudson@mit.edu>
Date: Wed Jan 8 14:20:15 2020 -0500
Update features list for 1.18
doc/mitK5features.rst | 68 ++++++++++++++++++++++++++++++++++++++++++++++--
1 files changed, 65 insertions(+), 3 deletions(-)
diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst
index a19068e..d58c718 100644
--- a/doc/mitK5features.rst
+++ b/doc/mitK5features.rst
@@ -19,9 +19,9 @@ Quick facts
License - :ref:`mitK5license`
Releases:
- - Latest stable: https://web.mit.edu/kerberos/krb5-1.17/
- - Supported: https://web.mit.edu/kerberos/krb5-1.16/
- - Release cycle: 9 -- 12 months
+ - Latest stable: https://web.mit.edu/kerberos/krb5-1.18/
+ - Supported: https://web.mit.edu/kerberos/krb5-1.17/
+ - Release cycle: approximately 12 months
Supported platforms \/ OS distributions:
- Windows (KfW 4.0): Windows 7, Vista, XP
@@ -471,6 +471,68 @@ Release 1.17
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
+Release 1.18
+
+* Administrator experience:
+
+ - Remove support for single-DES encryption types.
+
+ - Change the replay cache format to be more efficient and robust.
+ Replay cache filenames using the new format end with ``.rcache2``
+ by default.
+
+ - setuid programs will automatically ignore environment variables
+ that normally affect krb5 API functions, even if the caller does
+ not use krb5_init_secure_context().
+
+ - Add an ``enforce_ok_as_delegate`` krb5.conf relation to disable
+ credential forwarding during GSSAPI authentication unless the KDC
+ sets the ok-as-delegate bit in the service ticket.
+
+* Developer experience:
+
+ - Implement krb5_cc_remove_cred() for all credential cache types.
+
+ - Add the krb5_pac_get_client_info() API to get the client account
+ name from a PAC.
+
+* Protocol evolution:
+
+ - Add KDC support for S4U2Self requests where the user is identified
+ by X.509 certificate. (Requires support for certificate lookup
+ from a third-party KDB module.)
+
+ - Remove support for an old ("draft 9") variant of PKINIT.
+
+ - Add support for Microsoft NegoEx. (Requires one or more
+ third-party GSS modules implementing NegoEx mechanisms.)
+
+* User experience:
+
+ - Add support for ``dns_canonicalize_hostname=fallback``, causing
+ host-based principal names to be tried first without DNS
+ canonicalization, and again with DNS canonicalization if the
+ un-canonicalized server is not found.
+
+ - Expand single-component hostnames in hhost-based principal names
+ when DNS canonicalization is not used, adding the system's first
+ DNS search path as a suffix. Add a ``qualify_shortname``
+ krb5.conf relation to override this suffix or disable expansion.
+
+* Code quality:
+
+ - The libkrb5 serialization code (used to export and import krb5 GSS
+ security contexts) has been simplified and made type-safe.
+
+ - The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
+ messages has been revised to conform to current coding practices.
+
+ - The test suite has been modified to work with macOS System
+ Integrity Protection enabled.
+
+ - The test suite incorporates soft-pkcs11 so that PKINIT PKCS11
+ support can always be tested.
+
`Pre-authentication mechanisms`
- PW-SALT :rfc:`4120#section-5.2.7.3`
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
