"Fossies" - the Fresh Open Source Software Archive

Member "krb5-1.18/README" (12 Feb 2020, 14208 Bytes) of package /linux/misc/krb5-1.18.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "README": 1.17.1_vs_1.18.

    1                    Kerberos Version 5, Release 1.18
    2 
    3                             Release Notes
    4                         The MIT Kerberos Team
    5 
    6 Copyright and Other Notices
    7 ---------------------------
    8 
    9 Copyright (C) 1985-2019 by the Massachusetts Institute of Technology
   10 and its contributors.  All rights reserved.
   11 
   12 Please see the file named NOTICE for additional notices.
   13 
   14 Documentation
   15 -------------
   16 
   17 Unified documentation for Kerberos V5 is available in both HTML and
   18 PDF formats.  The table of contents of the HTML format documentation
   19 is at doc/html/index.html, and the PDF format documentation is in the
   20 doc/pdf directory.
   21 
   22 Additionally, you may find copies of the HTML format documentation
   23 online at
   24 
   25     https://web.mit.edu/kerberos/krb5-latest/doc/
   26 
   27 for the most recent supported release, or at
   28 
   29     https://web.mit.edu/kerberos/krb5-devel/doc/
   30 
   31 for the release under development.
   32 
   33 More information about Kerberos may be found at
   34 
   35     https://web.mit.edu/kerberos/
   36 
   37 and at the MIT Kerberos Consortium web site
   38 
   39     https://kerberos.org/
   40 
   41 Building and Installing Kerberos 5
   42 ----------------------------------
   43 
   44 Build documentation is in doc/html/build/index.html or
   45 doc/pdf/build.pdf.
   46 
   47 The installation guide is in doc/html/admin/install.html or
   48 doc/pdf/install.pdf.
   49 
   50 If you are attempting to build under Windows, please see the
   51 src/windows/README file.
   52 
   53 Reporting Bugs
   54 --------------
   55 
   56 Please report any problems/bugs/comments by sending email to
   57 krb5-bugs@mit.edu.
   58 
   59 You may view bug reports by visiting
   60 
   61 https://krbdev.mit.edu/rt/
   62 
   63 and using the "Guest Login" button.  Please note that the web
   64 interface to our bug database is read-only for guests, and the primary
   65 way to interact with our bug database is via email.
   66 
   67 DES transition
   68 --------------
   69 
   70 The Data Encryption Standard (DES) is widely recognized as weak.  The
   71 krb5-1.7 release contains measures to encourage sites to migrate away
   72 from using single-DES cryptosystems.  Among these is a configuration
   73 variable that enables "weak" enctypes, which defaults to "false"
   74 beginning with krb5-1.8.
   75 
   76 Major changes in 1.18 (2019-02-12)
   77 ----------------------------------
   78 
   79 Administrator experience:
   80 
   81 * Remove support for single-DES encryption types.
   82 
   83 * Change the replay cache format to be more efficient and robust.
   84   Replay cache filenames using the new format end with ".rcache2" by
   85   default.
   86 
   87 * setuid programs will automatically ignore environment variables that
   88   normally affect krb5 API functions, even if the caller does not use
   89   krb5_init_secure_context().
   90 
   91 * Add an "enforce_ok_as_delegate" krb5.conf relation to disable
   92   credential forwarding during GSSAPI authentication unless the KDC
   93   sets the ok-as-delegate bit in the service ticket.
   94 
   95 * Use the permitted_enctypes krb5.conf setting as the default value
   96   for default_tkt_enctypes and default_tgs_enctypes.
   97 
   98 Developer experience:
   99 
  100 * Implement krb5_cc_remove_cred() for all credential cache types.
  101 
  102 * Add the krb5_pac_get_client_info() API to get the client account
  103   name from a PAC.
  104 
  105 Protocol evolution:
  106 
  107 * Add KDC support for S4U2Self requests where the user is identified
  108   by X.509 certificate.  (Requires support for certificate lookup from
  109   a third-party KDB module.)
  110 
  111 * Remove support for an old ("draft 9") variant of PKINIT.
  112 
  113 * Add support for Microsoft NegoEx.  (Requires one or more third-party
  114   GSS modules implementing NegoEx mechanisms.)
  115 
  116 * Honor the transited-policy-checked ticket flag on application
  117   servers, eliminating the requirement to configure capaths on
  118   servers in some scenarios.
  119 
  120 User experience:
  121 
  122 * Add support for "dns_canonicalize_hostname=fallback""`, causing
  123   host-based principal names to be tried first without DNS
  124   canonicalization, and again with DNS canonicalization if the
  125   un-canonicalized server is not found.
  126 
  127 * Expand single-component hostnames in host-based principal names when
  128   DNS canonicalization is not used, adding the system's first DNS
  129   search path as a suffix.  Add a "qualify_shortname" krb5.conf
  130   relation to override this suffix or disable expansion.
  131 
  132 Code quality:
  133 
  134 * The libkrb5 serialization code (used to export and import krb5 GSS
  135   security contexts) has been simplified and made type-safe.
  136 
  137 * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED d
  138   messages has been revised to conform to current coding practices.
  139 
  140 * The test suite has been modified to work with macOS System Integrity
  141   Protection enabled.
  142 
  143 * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11
  144   support can always be tested.
  145 
  146 krb5-1.18 changes by ticket ID
  147 ------------------------------
  148 
  149 5891    kdb_ldap should treat entries with "nsAccountLock: true" as locked
  150 7135    gssapi mechanism glue dlcloses objects potentially after they are already unloaded
  151 7765    Some ccache functions not exported
  152 7871    KDC should not fail requests due to forwardable/proxiable option
  153 8349    use __APPLE_USE_RFC_3542 to get IPV6_PKTINFO on Mac OS X
  154 8761    ksu doesn't allow acquisition of non-forwardable tickets
  155 8764    get_creds can add redundant cache entry for referral ticket
  156 8765    Add dns_canonicalize_hostname=fallback support
  157 8773    Mark deprecated enctypes when used
  158 8775    Process SPNEGO error tokens through mech
  159 8777    S4U2Self with X.509 certificate bugs
  160 8778    Add new kvno protocol transition options
  161 8780    Expand S4U2Self exception in KDC lineage check
  162 8781    Add KDC support for X.509 S4U2Self requests
  163 8784    Use better name type for PKINIT KDC certs
  164 8785    Use memory replay cache for DO_TIME auth contexts
  165 8786    Hash-based replay cache implementation
  166 8788    Rename configure.in to configure.ac
  167 8791    Add option to build without libkeyutils
  168 8792    Implement krb5_cc_remove_cred for remaining types
  169 8793    Remove srvtab support
  170 8794    Remove kadmin RPC support for setting v4 key
  171 8795    configure: chech for libncursesw, if libncurses is not found
  172 8798    Remove ovsec_adm_export dump format support
  173 8799    Check more errors in OpenSSL crypto backend
  174 8800    Add secure_getenv() support
  175 8804    Remove checksum type profile variables
  176 8805    Modernize example enctypes in documentation
  177 8806    kdb5_util errors on command arguments matching command names
  178 8807    Set a more modern default ksu CMD_PATH
  179 8808    Remove single-DES support
  180 8811    In klist, display ticket server if different
  181 8812    Remove support for no-flags SAM-2 preauth
  182 8815    Verify PAC client name independently of name-type
  183 8816    kproplog cannot display LOCKDOWN_KEYS attribute
  184 8817    Remove PKINIT draft 9 support
  185 8819    gss_set_allowable_enctypes() fails if any enctypes aren't recognized
  186 8823    Allow the KDB to see and modify auth indicators
  187 8827    Change definition of KRB5_KDB_FLAG_CROSS_REALM
  188 8828    Add API to get client account name from PAC
  189 8829    Fix authdata signatures for non-TGT AS-REQs
  190 8833    Add environment variable for GSS mech config
  191 8842    Record start time of AS requests earlier in KDC
  192 8843    Allow client canonicalization in non-krbtgt AS-REP
  193 8844    SPNEGO should filter mechs on acceptor with gss_acquire_cred()
  194 8845    SPNEGO init/accept output parameter bugs
  195 8847    Add enforce_ok_as_delegate setting
  196 8849    Install gssapi/gssapi_alloc.h properly
  197 8851    NegoEx
  198 8855    Qualify short hostnames when not using DNS
  199 8856    segfault in krb5-1.17.1/src/lib/krb5/krb/authdata.c
  200 8857    Don't warn in kadmin when no policy is specified
  201 8858    Do not always canonicalize enterprise principals
  202 8859    Remove KRB5_KDB_FLAG_ALIAS_OK
  203 8860    Allow kprop over NATs
  204 8861    Fix LDAP policy enforcement of pw_expiration
  205 8864    Fix error handling in gssint_mechglue_init()
  206 8865    Check cross-realm TGT name for RBCD requests
  207 8866    Fix S4U client authdata handling
  208 8867    Fix KDC crash in handle_signticket
  209 8868    Allow cross-realm RBCD with PAC and other authdata
  210 8869    Apply permitted_enctypes to KDC request enctypes
  211 8870    Honor transited-policy-checked flag in servers
  212 8872    Put KDB authdata first
  213 8873    Don't assume OpenSSL failures are memory errors
  214 8874    Always use S4U2Proxy second ticket parsed authdata
  215 
  216 Acknowledgements
  217 ----------------
  218 
  219 Past Sponsors of the MIT Kerberos Consortium:
  220 
  221     Apple
  222     Carnegie Mellon University
  223     Centrify Corporation
  224     Columbia University
  225     Cornell University
  226     The Department of Defense of the United States of America (DoD)
  227     Fidelity Investments
  228     Google
  229     Iowa State University
  230     MIT
  231     Michigan State University
  232     Microsoft
  233     MITRE Corporation
  234     Morgan-Stanley
  235     The National Aeronautics and Space Administration
  236         of the United States of America (NASA)
  237     Network Appliance (NetApp)
  238     Nippon Telephone and Telegraph (NTT)
  239     US Government Office of the National Coordinator for Health
  240         Information Technology (ONC)
  241     Oracle
  242     Pennsylvania State University
  243     Red Hat
  244     Stanford University
  245     TeamF1, Inc.
  246     The University of Alaska
  247     The University of Michigan
  248     The University of Pennsylvania
  249 
  250 Past and present members of the Kerberos Team at MIT:
  251 
  252     Danilo Almeida
  253     Jeffrey Altman
  254     Justin Anderson
  255     Richard Basch
  256     Mitch Berger
  257     Jay Berkenbilt
  258     Andrew Boardman
  259     Bill Bryant
  260     Steve Buckley
  261     Joe Calzaretta
  262     John Carr
  263     Mark Colan
  264     Don Davis
  265     Sarah Day
  266     Alexandra Ellwood
  267     Carlos Garay
  268     Dan Geer
  269     Nancy Gilman
  270     Matt Hancher
  271     Thomas Hardjono
  272     Sam Hartman
  273     Paul Hill
  274     Marc Horowitz
  275     Eva Jacobus
  276     Miroslav Jurisic
  277     Barry Jaspan
  278     Benjamin Kaduk
  279     Geoffrey King
  280     Kevin Koch
  281     John Kohl
  282     HaoQi Li
  283     Jonathan Lin
  284     Peter Litwack
  285     Scott McGuire
  286     Steve Miller
  287     Kevin Mitchell
  288     Cliff Neuman
  289     Paul Park
  290     Ezra Peisach
  291     Chris Provenzano
  292     Ken Raeburn
  293     Jon Rochlis
  294     Jeff Schiller
  295     Jen Selby
  296     Robert Silk
  297     Bill Sommerfeld
  298     Jennifer Steiner
  299     Ralph Swick
  300     Brad Thompson
  301     Harry Tsai
  302     Zhanna Tsitkova
  303     Ted Ts'o
  304     Marshall Vale
  305     Taylor Yu
  306 
  307 The following external contributors have provided code, patches, bug
  308 reports, suggestions, and valuable resources:
  309 
  310     Ian Abbott
  311     Brandon Allbery
  312     Russell Allbery
  313     Brian Almeida
  314     Michael B Allen
  315     Pooja Anil
  316     Jeffrey Arbuckle
  317     Heinz-Ado Arnolds
  318     Derek Atkins
  319     Mark Bannister
  320     David Bantz
  321     Alex Baule
  322     David Benjamin
  323     Thomas Bernard
  324     Adam Bernstein
  325     Arlene Berry
  326     Jeff Blaine
  327     Toby Blake
  328     Radoslav Bodo
  329     Sumit Bose
  330     Emmanuel Bouillon
  331     Isaac Boukris
  332     Philip Brown
  333     Samuel Cabrero
  334     Michael Calmer
  335     Andrea Campi
  336     Julien Chaffraix
  337     Puran Chand
  338     Ravi Channavajhala
  339     Srinivas Cheruku
  340     Leonardo Chiquitto
  341     Seemant Choudhary
  342     Howard Chu
  343     Andrea Cirulli
  344     Christopher D. Clausen
  345     Kevin Coffman
  346     Simon Cooper
  347     Sylvain Cortes
  348     Ian Crowther
  349     Arran Cudbard-Bell
  350     Jeff D'Angelo
  351     Nalin Dahyabhai
  352     Mark Davies
  353     Dennis Davis
  354     Alex Dehnert
  355     Mark Deneen
  356     Günther Deschner
  357     John Devitofranceschi
  358     Marc Dionne
  359     Roland Dowdeswell
  360     Dorian Ducournau
  361     Viktor Dukhovni
  362     Jason Edgecombe
  363     Mark Eichin
  364     Shawn M. Emery
  365     Douglas E. Engert
  366     Peter Eriksson
  367     Juha Erkkilä
  368     Gilles Espinasse
  369     Ronni Feldt
  370     Bill Fellows
  371     JC Ferguson
  372     Remi Ferrand
  373     Paul Fertser
  374     Fabiano Fidêncio
  375     Frank Filz
  376     William Fiveash
  377     Jacques Florent
  378     Ákos Frohner
  379     Sebastian Galiano
  380     Marcus Granado
  381     Dylan Gray
  382     Scott Grizzard
  383     Helmut Grohne
  384     Steve Grubb
  385     Philip Guenther
  386     Timo Gurr
  387     Dominic Hargreaves
  388     Robbie Harwood
  389     John Hascall
  390     Jakob Haufe
  391     Matthieu Hautreux
  392     Jochen Hein
  393     Paul B. Henson
  394     Jeff Hodges
  395     Christopher Hogan
  396     Love Hörnquist Åstrand
  397     Ken Hornstein
  398     Henry B. Hotz
  399     Luke Howard
  400     Jakub Hrozek
  401     Shumon Huque
  402     Jeffrey Hutzelman
  403     Sergey Ilinykh
  404     Wyllys Ingersoll
  405     Holger Isenberg
  406     Spencer Jackson
  407     Diogenes S. Jesus
  408     Pavel Jindra
  409     Brian Johannesmeyer
  410     Joel Johnson
  411     Lutz Justen
  412     Alexander Karaivanov
  413     Anders Kaseorg
  414     Bar Katz
  415     Zentaro Kavanagh
  416     Mubashir Kazia
  417     W. Trevor King
  418     Patrik Kis
  419     Martin Kittel
  420     Thomas Klausner
  421     Matthew Krupcale
  422     Mikkel Kruse
  423     Reinhard Kugler
  424     Tomas Kuthan
  425     Pierre Labastie
  426     Andreas Ladanyi
  427     Chris Leick
  428     Volker Lendecke
  429     Jan iankko Lieskovsky
  430     Todd Lipcon
  431     Oliver Loch
  432     Chris Long
  433     Kevin Longfellow
  434     Frank Lonigro
  435     Jon Looney
  436     Nuno Lopes
  437     Todd Lubin
  438     Ryan Lynch
  439     Roland Mainz
  440     Sorin Manolache
  441     Robert Marshall
  442     Andrei Maslennikov
  443     Michael Mattioli
  444     Nathaniel McCallum
  445     Greg McClement
  446     Cameron Meadors
  447     Alexey Melnikov
  448     Franklyn Mendez
  449     Markus Moeller
  450     Kyle Moffett
  451     Paul Moore
  452     Keiichi Mori
  453     Michael Morony
  454     Zbysek Mraz
  455     Edward Murrell
  456     Nikos Nikoleris
  457     Felipe Ortega
  458     Michael Osipov
  459     Andrej Ota
  460     Dmitri Pal
  461     Javier Palacios
  462     Dilyan Palauzov
  463     Tom Parker
  464     Eric Pauly
  465     Ezra Peisach
  466     Alejandro Perez
  467     Zoran Pericic
  468     W. Michael Petullo
  469     Mark Phalan
  470     Sharwan Ram
  471     Brett Randall
  472     Jonathan Reams
  473     Jonathan Reed
  474     Robert Relyea
  475     Tony Reix
  476     Martin Rex
  477     Pat Riehecky
  478     Jason Rogers
  479     Matt Rogers
  480     Nate Rosenblum
  481     Solly Ross
  482     Mike Roszkowski
  483     Guillaume Rousse
  484     Joshua Schaeffer
  485     Andreas Schneider
  486     Paul Seyfert
  487     Tom Shaw
  488     Jim Shi
  489     Jerry Shipman
  490     Peter Shoults
  491     Richard Silverman
  492     Cel Skeggs
  493     Simo Sorce
  494     Michael Spang
  495     Michael Ströder
  496     Bjørn Tore Sund
  497     Joe Travaglini
  498     Tim Uglow
  499     Rathor Vipin
  500     Denis Vlasenko
  501     Jorgen Wahlsten
  502     Stef Walter
  503     Max (Weijun) Wang
  504     John Washington
  505     Stef Walter
  506     Xi Wang
  507     Nehal J Wani
  508     Kevin Wasserman
  509     Margaret Wasserman
  510     Marcus Watts
  511     Andreas Wiese
  512     Simon Wilkinson
  513     Nicolas Williams
  514     Ross Wilper
  515     Augustin Wolf
  516     David Woodhouse
  517     Tsu-Phong Wu
  518     Xu Qiang
  519     Neng Xue
  520     Zhaomo Yang
  521     Nickolai Zeldovich
  522     Bean Zhang
  523     Hanz van Zijst
  524     Gertjan Zwartjes
  525 
  526 The above is not an exhaustive list; many others have contributed in
  527 various ways to the MIT Kerberos development effort over the years.
  528 Other acknowledgments (for bug reports and patches) are in the
  529 doc/CHANGES file.