License - :ref:`mitK5license`
Releases:
- - Latest stable: https://web.mit.edu/kerberos/krb5-1.17/
- - Supported: https://web.mit.edu/kerberos/krb5-1.16/
- - Release cycle: 9 -- 12 months
+ - Latest stable: https://web.mit.edu/kerberos/krb5-1.20/
+ - Supported: https://web.mit.edu/kerberos/krb5-1.19/
+ - Release cycle: approximately 12 months
Supported platforms \/ OS distributions:
- Windows (KfW 4.0): Windows 7, Vista, XP
krb4 support: Kerberos 5 release < 1.8
-DES support: configurable (See :ref:`retiring-des`)
+DES support: Kerberos 5 release < 1.18 (See :ref:`retiring-des`)
Interoperability
----------------
- Plugin to test password quality :ref:`pwqual_plugin`
- Plugin to synchronize password changes :ref:`kadm5_hook_plugin`
- Parallel KDC
- - GSS-API extentions for SASL GS2 bridge :rfc:`5801` :rfc:`5587`
+ - GSS-API extensions for SASL GS2 bridge :rfc:`5801` :rfc:`5587`
- Purging old keys
- Naming extensions for delegation chain
- Password expiration API
protocol.
- Add support for `hierarchical incremental propagation
<https://k5wiki.kerberos.org/wiki/Projects/Hierarchical_iprop>`_,
- where replicas can act as intermediates between an upstream master
+ where replicas can act as intermediates between an upstream primary
and other downstream replicas.
- Add support for configuring GSS mechanisms using
``/etc/gss/mech.d/*.conf`` files in addition to
* Performance:
- - On replica KDCs, poll the master KDC immediately after processing
- a full resync, and do not require two full resyncs after the
- master KDC's log file is reset.
+ - On replica KDCs, poll the primary KDC immediately after
+ processing a full resync, and do not require two full resyncs
+ after the primary KDC's log file is reset.
Release 1.15
- Add DNS auto-discovery of KDC and kpasswd servers from URI
records, in addition to SRV records. URI records can convey TCP
- and UDP servers and master KDC status in a single DNS lookup, and
+ and UDP servers and primary KDC status in a single DNS lookup, and
can also point to HTTPS proxy servers.
- Add support for password history to the LDAP back end.
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
+Release 1.18
+
+* Administrator experience:
+
+ - Remove support for single-DES encryption types.
+
+ - Change the replay cache format to be more efficient and robust.
+ Replay cache filenames using the new format end with ``.rcache2``
+ by default.
+
+ - setuid programs will automatically ignore environment variables
+ that normally affect krb5 API functions, even if the caller does
+ not use krb5_init_secure_context().
+
+ - Add an ``enforce_ok_as_delegate`` krb5.conf relation to disable
+ credential forwarding during GSSAPI authentication unless the KDC
+ sets the ok-as-delegate bit in the service ticket.
+
+* Developer experience:
+
+ - Implement krb5_cc_remove_cred() for all credential cache types.
+
+ - Add the krb5_pac_get_client_info() API to get the client account
+ name from a PAC.
+
+* Protocol evolution:
+
+ - Add KDC support for S4U2Self requests where the user is identified
+ by X.509 certificate. (Requires support for certificate lookup
+ from a third-party KDB module.)
+
+ - Remove support for an old ("draft 9") variant of PKINIT.
+
+ - Add support for Microsoft NegoEx. (Requires one or more
+ third-party GSS modules implementing NegoEx mechanisms.)
+
+* User experience:
+
+ - Add support for ``dns_canonicalize_hostname=fallback``, causing
+ host-based principal names to be tried first without DNS
+ canonicalization, and again with DNS canonicalization if the
+ un-canonicalized server is not found.
+
+ - Expand single-component hostnames in hhost-based principal names
+ when DNS canonicalization is not used, adding the system's first
+ DNS search path as a suffix. Add a ``qualify_shortname``
+ krb5.conf relation to override this suffix or disable expansion.
+
+* Code quality:
+
+ - The libkrb5 serialization code (used to export and import krb5 GSS
+ security contexts) has been simplified and made type-safe.
+
+ - The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
+ messages has been revised to conform to current coding practices.
+
+ - The test suite has been modified to work with macOS System
+ Integrity Protection enabled.
+
+ - The test suite incorporates soft-pkcs11 so that PKINIT PKCS11
+ support can always be tested.
+
+Release 1.19
+
+* Administrator experience:
+
+ - When a client keytab is present, the GSSAPI krb5 mech will refresh
+ credentials even if the current credentials were acquired
+ manually.
+
+ - It is now harder to accidentally delete the K/M entry from a KDB.
+
+* Developer experience:
+
+ - gss_acquire_cred_from() now supports the "password" and "verify"
+ options, allowing credentials to be acquired via password and
+ verified using a keytab key.
+
+ - When an application accepts a GSS security context, the new
+ GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor
+ both provided matching channel bindings.
+
+ - Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self
+ requests to identify the desired client principal by certificate.
+
+ - PKINIT certauth modules can now cause the hw-authent flag to be
+ set in issued tickets.
+
+ - The krb5_init_creds_step() API will now issue the same password
+ expiration warnings as krb5_get_init_creds_password().
+
+* Protocol evolution:
+
+ - Added client and KDC support for Microsoft's Resource-Based
+ Constrained Delegation, which allows cross-realm S4U2Proxy
+ requests. A third-party database module is required for KDC
+ support.
+
+ - kadmin/admin is now the preferred server principal name for kadmin
+ connections, and the host-based form is no longer created by
+ default. The client will still try the host-based form as a
+ fallback.
+
+ - Added client and server support for Microsoft's
+ KERB_AP_OPTIONS_CBT extension, which causes channel bindings to be
+ required for the initiator if the acceptor provided them. The
+ client will send this option if the client_aware_gss_bindings
+ profile option is set.
+
+User experience:
+
+ - The default setting of dns_canonicalize_realm is now "fallback".
+ Hostnames provided from applications will be tried in principal
+ names as given (possibly with shortname qualification), falling
+ back to the canonicalized name.
+
+ - kinit will now issue a warning if the des3-cbc-sha1 encryption
+ type is used in the reply. This encryption type will be
+ deprecated and removed in future releases.
+
+ - Added kvno flags --out-cache, --no-store, and --cached-only
+ (inspired by Heimdal's kgetcred).
+
+Release 1.20
+
+* Administrator experience:
+
+ - Added a "disable_pac" realm relation to suppress adding PAC
+ authdata to tickets, for realms which do not need to support S4U
+ requests.
+
+ - Most credential cache types will use atomic replacement when a
+ cache is reinitialized using kinit or refreshed from the client
+ keytab.
+
+ - kprop can now propagate databases with a dump size larger than
+ 4GB, if both the client and server are upgraded.
+
+ - kprop can now work over NATs that change the destination IP
+ address, if the client is upgraded.
+
+* Developer experience:
+
+ - Updated the KDB interface. The sign_authdata() method is replaced
+ with the issue_pac() method, allowing KDB modules to add logon
+ info and other buffers to the PAC issued by the KDC.
+
+ - Host-based initiator names are better supported in the GSS krb5
+ mechanism.
+
+* Protocol evolution:
+
+ - Replaced AD-SIGNEDPATH authdata with minimal PACs.
+
+ - To avoid spurious replay errors, password change requests will not
+ be attempted over UDP until the attempt over TCP fails.
+
+ - PKINIT will sign its CMS messages with SHA-256 instead of SHA-1.
+
+* Code quality:
+
+ - Updated all code using OpenSSL to be compatible with OpenSSL 3.
+
+ - Reorganized the libk5crypto build system to allow the OpenSSL
+ back-end to pull in material from the builtin back-end depending
+ on the OpenSSL version.
+
+ - Simplified the PRNG logic to always use the platform PRNG.
+
+ - Converted the remaining Tcl tests to Python.
+
+
`Pre-authentication mechanisms`
- PW-SALT :rfc:`4120#section-5.2.7.3`
- S4U-X509-USER (release 1.8) https://msdn.microsoft.com/en-us/library/cc246091
- OTP (release 1.12) :ref:`otp_preauth`
- SPAKE (release 1.17) :ref:`spake`
-
-`PRNG`
-
-- modularity (release 1.9)
-- Yarrow PRNG (release < 1.10)
-- Fortuna PRNG (release 1.9) https://www.schneier.com/book-practical.html
-- OS PRNG (release 1.10) OS's native PRNG