From: Greg Hudson Date: Tue, 6 May 2025 02:28:11 +0000 (-0400) Subject: Update README for krb5-1.22 X-Git-Tag: krb5-1.22-beta1~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=20792b7d752678e5d8c71abb0b92cabaec0a695b;p=thirdparty%2Fkrb5.git Update README for krb5-1.22 --- diff --git a/README b/README index 2c1478e2dc..58c343ec25 100644 --- a/README +++ b/README @@ -100,9 +100,130 @@ encryption types has been removed. Major changes in 1.22 --------------------- +User experience: + +* The libdefaults configuration variable "request_timeout" can be set + to limit the total timeout for KDC requests. When making a KDC + request, the client will now wait indefinitely (or until the request + timeout has elapsed) on a KDC which accepts a TCP connection, + without contacting any additional KDCs. Clients will make fewer DNS + queries in some configurations. + +* The realm configuration variable "sitename" can be set to cause the + client to query site-specific DNS records when making KDC requests. + +Administrator experience: + +* Principal aliases are supported in the DB2 and LMDB KDB modules and + in the kadmin protocol. (The LDAP KDB module has supported aliases + since release 1.7.) + +* UNIX domain sockets are supported for the Kerberos and kpasswd + protocols. + +* systemd socket activation is supported for krb5kdc and kadmind. + +Developer experience: + +* KDB modules can be be implemented in terms of other modules using + the new krb5_db_load_module() function. + +* The profile library supports the modification of empty profiles and + the copying of modified profiles, making it possible to construct an + in-memory profile and pass it to krb5_init_context_profile(). + +* GSS-API applications can pass the GSS_C_CHANNEL_BOUND flag to + gss_init_sec_context() to request strict enforcement of channel + bindings by the acceptor. + +Protocol evolution: + +* The PKINIT preauth module supports elliptic curve client + certificates, ECDH key exchange, and the Microsoft paChecksum2 + field. + +* The IAKERB implementation has been changed to comply with the most + recent draft standard and to support realm discovery. + +* Message-Authenticator is supported in the RADIUS implementation used + by the OTP kdcpreauth module. + +Code quality: + +* Removed old-style function declarations, to accomodate compilers + which have removed support for them. + +* Added OSS-Fuzz to the project's continuous integration + infrastructure. + +* Rewrote the GSS per-message token parsing code for improved safety. + krb5-1.22 changes by ticket ID ------------------------------ +7721 Primary KDC lookups happen sooner than necessary +7899 Client waits before moving on after KDC_ERR_SVC_UNAVAILABLE +8618 ksu doesn't exit nonzero +9094 Get arm64-windows builds working +9095 PKINIT ECDH support +9096 Enable PKINIT if at least one group is available +9100 Add ecdsa-with-sha512/256 to supportedCMSTypes +9105 Wait indefinitely on KDC TCP connections +9106 Add request_timeout configuration parameter +9108 Remove PKINIT RSA support +9110 profile library null dereference when modifying empty profile +9111 Correct PKINIT EC cert signature metadata +9112 Support PKCS11 EC client certs in PKINIT +9113 Improve PKCS11 error reporting in PKINIT +9114 Build fails with link-time optimization +9116 Improve error message for DES kadmin/history key +9118 profile write operation interactions with reloading +9119 Make profile_copy() work on dirty profiles +9120 profile final flag limitations +9121 Don't flush libkrb5 context profiles +9122 Add GSS flag to include KERB_AP_OPTIONS_CBT +9123 Correct IAKERB protocol implementation +9124 Support site-local KDC discovery via DNS +9126 Handle empty initial buffer in IAKERB initiator +9130 make krb5_get_default_config_files public +9131 Adjust removed cred detection in FILE ccache +9132 Change krb5_get_credentials() endtime behavior +9133 Add acceptor-side IAKERB realm discovery +9135 Replace Windows installer FilesInUse dialog text +9139 Block library unloading to avoid finalizer races +9141 Fix krb5_crypto_us_timeofday() microseconds check +9142 Generate and verify message MACs in libkrad +9143 Fix memory leak in PAC checksum verification +9144 Fix potential PAC processing crash +9145 Prevent late initialization of GSS error map +9146 Allow null keyblocks in IOV checksum functions +9147 Add numeric constants to krad.h and use them +9148 Fix krb5_ldap_list_policy() filtering loop +9149 Use getentropy() when available +9151 Add kadmind support for disabling listening +9152 Default kdc_tcp_listen to kdc_listen value +9153 Fix LDAP module leak on authentication error +9154 Components of the X509_user_identity string cannot contain ':' +9155 UNIX domain socket support +9156 Allow KDB module stacking +9157 Add support for systemd socket activation +9158 Set missing mask flags for kdb5_util operations +9159 Prevent overflow when calculating ulog block size +9160 Allow only one salt type per enctype in key data +9161 Improve ulog block resize efficiency +9162 Build PKINIT on Windows +9163 Add alias support +9164 Add database format documentation +9165 Display NetBIOS ticket addresses in klist +9166 Add PKINIT paChecksum2 from MS-PKCA v20230920 +9167 Add initiator-side IAKERB realm discovery +9168 Fix IAKERB accept_sec_context null pointer crash +9169 Fix IAKERB error handling +9170 Avoid gss_inquire_attrs_for_mech() null outputs +9171 Fix getsockname() call in Windows localaddr +9172 Check lengths in xdr_krb5_key_data() +9173 Limit -keepold for self-service key changes + Acknowledgements ---------------- @@ -219,6 +340,7 @@ reports, suggestions, and valuable resources: Toby Blake Radoslav Bodo Alexander Bokovoy + Zoltan Borbely Sumit Bose Emmanuel Bouillon Isaac Boukris @@ -229,6 +351,7 @@ reports, suggestions, and valuable resources: Michael Calmer Andrea Campi Julien Chaffraix + Jacob Champion Puran Chand Ravi Channavajhala Srinivas Cheruku @@ -239,6 +362,7 @@ reports, suggestions, and valuable resources: Andrea Cirulli Christopher D. Clausen Kevin Coffman + Gerald Combs Simon Cooper Sylvain Cortes Ian Crowther @@ -248,6 +372,7 @@ reports, suggestions, and valuable resources: Nalin Dahyabhai Mark Davies Dennis Davis + Rull Deef Alex Dehnert Misty De Meo Mark Deneen @@ -265,6 +390,7 @@ reports, suggestions, and valuable resources: Peter Eriksson Juha Erkkilä Gilles Espinasse + Valery Fedorenko Sergey Fedorov Ronni Feldt Bill Fellows @@ -278,6 +404,7 @@ reports, suggestions, and valuable resources: Oliver Freyermuth Ákos Frohner Sebastian Galiano + Ilya Gladyshev Marcus Granado Dylan Gray Norm Green @@ -285,6 +412,7 @@ reports, suggestions, and valuable resources: Helmut Grohne Steve Grubb Philip Guenther + Feng Guo Timo Gurr Dominic Hargreaves Robbie Harwood @@ -324,6 +452,7 @@ reports, suggestions, and valuable resources: Martin Kittel Thomas Klausner Tomasz Kłoczko + Ivan Korytov Matthew Krupcale Mikkel Kruse Reinhard Kugler @@ -356,15 +485,19 @@ reports, suggestions, and valuable resources: Alexey Melnikov Ivan A. Melnikov Franklyn Mendez + Stefan Metzmacher Mantas Mikulėnas Markus Moeller Kyle Moffett + Jon Moore Paul Moore Keiichi Mori Michael Morony + Robert Morris Sam Morris Zbysek Mraz Edward Murrell + Bahaa Naamneh Joshua Neuheisel Nikos Nikoleris Demi Obenour @@ -402,6 +535,7 @@ reports, suggestions, and valuable resources: Jens Schleusener Ryan Schmidt Andreas Schneider + Eli Schwartz Paul Seyfert Tom Shaw Jim Shi @@ -410,11 +544,13 @@ reports, suggestions, and valuable resources: Richard Silverman Cel Skeggs Simo Sorce + Anthony Sottile Michael Spang Michael Ströder Bjørn Tore Sund Ondřej Surý Joseph Sutton + Alexey Tikhonov Joe Travaglini Sergei Trofimovich Greg Troxel