From: Greg Hudson Date: Thu, 13 Apr 2023 16:27:03 +0000 (-0400) Subject: Update features list for 1.21 X-Git-Tag: krb5-1.21-beta1~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=49d6ae210d3b376f3263b171709e75fd74b9dd8b;p=thirdparty%2Fkrb5.git Update features list for 1.21 --- diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst index ca2d6ef117..10effcf175 100644 --- a/doc/mitK5features.rst +++ b/doc/mitK5features.rst @@ -642,6 +642,48 @@ Release 1.20 - Converted the remaining Tcl tests to Python. +Release 1.21 + +* User experience: + + - Added a credential cache type providing compatibility with the + macOS 11 native credential cache. + +* Developer experience: + + - libkadm5 will use the provided krb5_context object to read + configuration values, instead of creating its own. + + - Added an interface to retrieve the ticket session key from a GSS + context. + +* Protocol evolution: + + - The KDC will no longer issue tickets with RC4 or triple-DES + session keys unless explicitly configured with the new allow_rc4 + or allow_des3 variables respectively. + + - The KDC will assume that all services can handle aes256-sha1 + session keys unless the service principal has a session_enctypes + string attribute. + + - Support for PAC full KDC checksums has been added to mitigate an + S4U2Proxy privilege escalation attack. + + - The PKINIT client will advertise a more modern set of supported + CMS algorithms. + +* Code quality: + + - Removed unused code in libkrb5, libkrb5support, and the PKINIT + module. + + - Modernized the KDC code for processing TGS requests, the code for + encrypting and decrypting key data, the PAC handling code, and the + GSS library packet parsing and composition code. + + - Improved the test framework's detection of memory errors in daemon + processes when used with asan. `Pre-authentication mechanisms`