variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.
+Major changes in 1.11.3 (2013-06-03)
+------------------------------------
+
+* Fix a UDP ping-pong vulnerability in the kpasswd (password changing)
+ service. [CVE-2002-2443]
+
+* Improve interoperability with some Windows native PKINIT clients.
+
+krb5-1.11.3 changes by ticket ID
+--------------------------------
+
+7596 PKINIT should allow missing DH param Q
+7602 allow dh_min_bits >= 1024
+7605 Set msg_type when decoding FAST requests
+7626 Rename internal Camellia symbols
+7637 Fix kpasswd UDP ping-pong [CVE-2002-2443]
+7639 Transited realm checks sometimes fail for GSSAPI
+7640 Clarify that kdc.conf and krb5.conf are merged
+7641 Clarify krb5_rd_req documentation
+7644 Sphinx doc build leaves python bytecode (.pyc) in release tarball
+7653 Document preauth flags for service principals
+7654 Clarify retiring-des based on user feedback
+7655 Clean up dangling antecedent in allow_weak_crypto
+
Major changes in 1.11.2 (2013-04-12)
------------------------------------
Joel Johnson
W. Trevor King
Mikkel Kruse
+ Reinhard Kugler
Volker Lendecke
Jan iankko Lieskovsky
Oliver Loch
-.TH "K5IDENTITY" "5" " " "1.11.2" "MIT Kerberos"
+.TH "K5IDENTITY" "5" " " "1.11.3" "MIT Kerberos"
.SH NAME
k5identity \- Kerberos V5 client principal selection rules
.
-.TH "K5LOGIN" "5" " " "1.11.2" "MIT Kerberos"
+.TH "K5LOGIN" "5" " " "1.11.3" "MIT Kerberos"
.SH NAME
k5login \- Kerberos V5 acl file for host access
.
-.TH "K5SRVUTIL" "1" " " "1.11.2" "MIT Kerberos"
+.TH "K5SRVUTIL" "1" " " "1.11.3" "MIT Kerberos"
.SH NAME
k5srvutil \- host key table (keytab) manipulation utility
.
-.TH "KADM5.ACL" "5" " " "1.11.2" "MIT Kerberos"
+.TH "KADM5.ACL" "5" " " "1.11.3" "MIT Kerberos"
.SH NAME
kadm5.acl \- Kerberos ACL file
.
-.TH "KADMIN" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KADMIN" "1" " " "1.11.3" "MIT Kerberos"
.SH NAME
kadmin \- Kerberos V5 database administration program
.
.B {\-|+}\fBrequires_preauth\fP
\fB+requires_preauth\fP requires this principal to preauthenticate
before being allowed to kinit. \fB\-requires_preauth\fP clears this
-flag.
+flag. When \fB+requires_preauth\fP is set on a service principal,
+the KDC will only issue service tickets for that service principal
+if the client\(aqs initial authentication was performed using
+preauthentication.
.TP
.B {\-|+}\fBrequires_hwauth\fP
\fB+requires_hwauth\fP requires this principal to preauthenticate
using a hardware device before being allowed to kinit.
-\fB\-requires_hwauth\fP clears this flag.
+\fB\-requires_hwauth\fP clears this flag. When \fB+requires_hwauth\fP is
+set on a service principal, the KDC will only issue service tickets
+for that service principal if the client\(aqs initial authentication was
+performed using a hardware device to preauthenticate.
.TP
.B {\-|+}\fBok_as_delegate\fP
\fB+ok_as_delegate\fP sets the \fBokay as delegate\fP flag on tickets
-.TH "KADMIND" "8" " " "1.11.2" "MIT Kerberos"
+.TH "KADMIND" "8" " " "1.11.3" "MIT Kerberos"
.SH NAME
kadmind \- KADM5 administration server
.
-.TH "KDB5_LDAP_UTIL" "8" " " "1.11.2" "MIT Kerberos"
+.TH "KDB5_LDAP_UTIL" "8" " " "1.11.3" "MIT Kerberos"
.SH NAME
kdb5_ldap_util \- Kerberos configuration utility
.
-.TH "KDB5_UTIL" "8" " " "1.11.2" "MIT Kerberos"
+.TH "KDB5_UTIL" "8" " " "1.11.3" "MIT Kerberos"
.SH NAME
kdb5_util \- Kerberos database maintenance utility
.
-.TH "KDC.CONF" "5" " " "1.11.2" "MIT Kerberos"
+.TH "KDC.CONF" "5" " " "1.11.3" "MIT Kerberos"
.SH NAME
kdc.conf \- Kerberos V5 KDC configuration file
.
The kdc.conf file supplements \fIkrb5.conf(5)\fP for programs which
are typically only used on a KDC, such as the \fIkrb5kdc(8)\fP and
\fIkadmind(8)\fP daemons and the \fIkdb5_util(8)\fP program.
-Relations documented here may also be specified in krb5.conf.
+Relations documented here may also be specified in krb5.conf; for the
+KDC programs mentioned, krb5.conf and kdc.conf will be merged into a
+single configuration profile.
.sp
Normally, the kdc.conf file is found in the KDC state directory,
\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP. You can override the default location by setting the
-.TH "KDESTROY" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KDESTROY" "1" " " "1.11.3" "MIT Kerberos"
.SH NAME
kdestroy \- destroy Kerberos tickets
.
-.TH "KINIT" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KINIT" "1" " " "1.11.3" "MIT Kerberos"
.SH NAME
kinit \- obtain and cache Kerberos ticket-granting ticket
.
-.TH "KLIST" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KLIST" "1" " " "1.11.3" "MIT Kerberos"
.SH NAME
klist \- list cached Kerberos tickets
.
-.TH "KPASSWD" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KPASSWD" "1" " " "1.11.3" "MIT Kerberos"
.SH NAME
kpasswd \- change a user's Kerberos password
.
-.TH "KPROP" "8" " " "1.11.2" "MIT Kerberos"
+.TH "KPROP" "8" " " "1.11.3" "MIT Kerberos"
.SH NAME
kprop \- propagate a Kerberos V5 principal database to a slave server
.
-.TH "KPROPD" "8" " " "1.11.2" "MIT Kerberos"
+.TH "KPROPD" "8" " " "1.11.3" "MIT Kerberos"
.SH NAME
kpropd \- Kerberos V5 slave KDC update server
.
-.TH "KPROPLOG" "8" " " "1.11.2" "MIT Kerberos"
+.TH "KPROPLOG" "8" " " "1.11.3" "MIT Kerberos"
.SH NAME
kproplog \- display the contents of the Kerberos principal update log
.
-.TH "KRB5-CONFIG" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KRB5-CONFIG" "1" " " "1.11.3" "MIT Kerberos"
.SH NAME
krb5-config \- tool for linking against MIT Kerberos libraries
.
-.TH "KRB5.CONF" "5" " " "1.11.2" "MIT Kerberos"
+.TH "KRB5.CONF" "5" " " "1.11.3" "MIT Kerberos"
.SH NAME
krb5.conf \- Kerberos configuration file
.
.INDENT 0.0
.TP
.B \fBallow_weak_crypto\fP
-If this flag is set to false, then weak encryption types will be
-filtered out of the previous three lists (as noted in
-\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP). The
-default value for this tag is false, which may cause
-authentication failures in existing Kerberos infrastructures that
-do not support strong crypto. Users in affected environments
+If this flag is set to false, then weak encryption types (as noted in
+\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP) will be filtered
+out of the lists \fBdefault_tgs_enctypes\fP, \fBdefault_tkt_enctypes\fP, and
+\fBpermitted_enctypes\fP. The default value for this tag is false, which
+may cause authentication failures in existing Kerberos infrastructures
+that do not support strong crypto. Users in affected environments
should set this tag to true until their infrastructure adopts
stronger ciphers.
.TP
-.TH "KRB5KDC" "8" " " "1.11.2" "MIT Kerberos"
+.TH "KRB5KDC" "8" " " "1.11.3" "MIT Kerberos"
.SH NAME
krb5kdc \- Kerberos V5 KDC
.
-.TH "KSU" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KSU" "1" " " "1.11.3" "MIT Kerberos"
.SH NAME
ksu \- Kerberized super-user
.
-.TH "KSWITCH" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KSWITCH" "1" " " "1.11.3" "MIT Kerberos"
.SH NAME
kswitch \- switch primary ticket cache
.
-.TH "KTUTIL" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KTUTIL" "1" " " "1.11.3" "MIT Kerberos"
.SH NAME
ktutil \- Kerberos keytab file maintenance utility
.
-.TH "KVNO" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KVNO" "1" " " "1.11.3" "MIT Kerberos"
.SH NAME
kvno \- print key version numbers of Kerberos principals
.
-.TH "SCLIENT" "1" " " "1.11.2" "MIT Kerberos"
+.TH "SCLIENT" "1" " " "1.11.3" "MIT Kerberos"
.SH NAME
sclient \- sample Kerberos version 5 client
.
-.TH "SSERVER" "8" " " "1.11.2" "MIT Kerberos"
+.TH "SSERVER" "8" " " "1.11.3" "MIT Kerberos"
.SH NAME
sserver \- sample Kerberos version 5 server
.
*/
#define KRB5_MAJOR_RELEASE 1
#define KRB5_MINOR_RELEASE 11
-#define KRB5_PATCHLEVEL 2
-#define KRB5_RELTAIL "postrelease"
+#define KRB5_PATCHLEVEL 3
+/* #undef KRB5_RELTAIL */
/* #undef KRB5_RELDATE */
-#define KRB5_RELTAG "krb5-1.11"
+#define KRB5_RELTAG "krb5-1.11.3-final"
projects / thirdparty / krb5.git / commitdiff
