info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
krb5-1.20 is released
18 views
Skip to first unread message
Greg Hudson
May 26, 2022, 6:38:06 PM5/26/22
to kerberos...@mit.edu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.20. Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.
RETRIEVING KERBEROS 5 RELEASE 1.20
==================================
You may retrieve the Kerberos 5 Release 1.20 source from the
following URL:
https://kerberos.org/dist/
The homepage for the krb5-1.20 release is:
https://web.mit.edu/kerberos/krb5-1.20/
Further information about Kerberos 5 may be found at the following
URL:
https://web.mit.edu/kerberos/
and at the MIT Kerberos Consortium web site:
https://www.kerberos.org/
PAC transition
==============
Beginning with release 1.20, the KDC will include minimal PACs in
tickets instead of AD-SIGNEDPATH authdata. S4U requests (protocol
transition and constrained delegation) must now contain valid PACs in
the incoming tickets. If only some KDCs in a realm have been upgraded
across version 1.20, the upgraded KDCs will reject S4U requests
containing tickets from non-upgraded KDCs and vice versa.
Triple-DES transition
=====================
Beginning with the krb5-1.19 release, a warning will be issued if
initial credentials are acquired using the des3-cbc-sha1 encryption
type. In future releases, this encryption type will be disabled by
default and eventually removed.
Beginning with the krb5-1.18 release, single-DES encryption types have
been removed.
Major changes in 1.20 (2022-05-26)
==================================
Administrator experience:
* Added a "disable_pac" realm relation to suppress adding PAC authdata
to tickets, for realms which do not need to support S4U requests.
* Most credential cache types will use atomic replacement when a cache
is reinitialized using kinit or refreshed from the client keytab.
* kprop can now propagate databases with a dump size larger than 4GB,
if both the client and server are upgraded.
* kprop can now work over NATs that change the destination IP address,
if the client is upgraded.
Developer experience:
* Updated the KDB interface. The sign_authdata() method is replaced
with the issue_pac() method, allowing KDB modules to add logon info
and other buffers to the PAC issued by the KDC.
* Host-based initiator names are better supported in the GSS krb5
mechanism.
Protocol evolution:
* Replaced AD-SIGNEDPATH authdata with minimal PACs.
* To avoid spurious replay errors, password change requests will not
be attempted over UDP until the attempt over TCP fails.
* PKINIT will sign its CMS messages with SHA-256 instead of SHA-1.
Code quality:
* Updated all code using OpenSSL to be compatible with OpenSSL 3.
* Reorganized the libk5crypto build system to allow the OpenSSL
back-end to pull in material from the builtin back-end depending on
the OpenSSL version.
* Simplified the PRNG logic to always use the platform PRNG.
* Converted the remaining Tcl tests to Python.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmKQAGgACgkQDLoIV1+D
ct9NnBAAxbuqwI/OQrXdCnMZyMMD3Oc4ODvx+5Zmt93owaZ4RSx6WwS8FNIlcFjX
C47JbF79uwh817GMGJUCdnH7pI+hxzBmxxs1F0j+7nLWF+vDs9mPHxMkWOiY9ZNu
8ADE3XRyHSgGOOb0zbndPS3RsbYnsHMQfbtNIbxNIJfyTF32wmPrsuGlhhEKEzu2
7m8V8DBfL5PwMLefsl8Mu45xqD8II7eg5HjIe7kmEbGseDS2C5XOrj4ieWm++0Pc
dfl1eHKyuCWkUaJyBBjIGRe+WL8D/OKRkXrtIgMcX7AwFdnRrMDqDduoD9vNQvGE
4PNcORkCdw4R7UWv2qXOvoxHKz/Bv6ctkd94FRsGoJrFeOIf+0L53y2Zf+s+ntVC
p70glQhcAZr/wdKPm2V1QmuIib+y7bZRBcIcbmEZcjexQaIzUHFdwMzm3Y8MAGJu
h8GZ7tktGAQWdgUKRFP2ZlDnUEl6a7GgmoOyUcgo2RxDgiunBcdgLVNeVkkEZCPv
xKdntPgcgrObb6J73JfHZLWBZ6bMpaEm9MziEP50ZvITlD2Q+CxyCJo9fbgqvhXf
z6JaNiVWR0blHGpQA8eeUW6bToEjndYPumxbGyRRfTIpcaAZYyeY9MFBiDJmDM98
U4oPRd15Ws1swsuc+EsJKUo+OiCLj7saF87WSE2Kke+SOfo8evA=
=aPCW
-----END PGP SIGNATURE-----
_______________________________________________
kerberos-announce mailing list
kerberos...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos-announce
Hash: SHA512
The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.20. Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.
RETRIEVING KERBEROS 5 RELEASE 1.20
==================================
You may retrieve the Kerberos 5 Release 1.20 source from the
following URL:
https://kerberos.org/dist/
The homepage for the krb5-1.20 release is:
https://web.mit.edu/kerberos/krb5-1.20/
Further information about Kerberos 5 may be found at the following
URL:
https://web.mit.edu/kerberos/
and at the MIT Kerberos Consortium web site:
https://www.kerberos.org/
PAC transition
==============
Beginning with release 1.20, the KDC will include minimal PACs in
tickets instead of AD-SIGNEDPATH authdata. S4U requests (protocol
transition and constrained delegation) must now contain valid PACs in
the incoming tickets. If only some KDCs in a realm have been upgraded
across version 1.20, the upgraded KDCs will reject S4U requests
containing tickets from non-upgraded KDCs and vice versa.
Triple-DES transition
=====================
Beginning with the krb5-1.19 release, a warning will be issued if
initial credentials are acquired using the des3-cbc-sha1 encryption
type. In future releases, this encryption type will be disabled by
default and eventually removed.
Beginning with the krb5-1.18 release, single-DES encryption types have
been removed.
Major changes in 1.20 (2022-05-26)
==================================
Administrator experience:
* Added a "disable_pac" realm relation to suppress adding PAC authdata
to tickets, for realms which do not need to support S4U requests.
* Most credential cache types will use atomic replacement when a cache
is reinitialized using kinit or refreshed from the client keytab.
* kprop can now propagate databases with a dump size larger than 4GB,
if both the client and server are upgraded.
* kprop can now work over NATs that change the destination IP address,
if the client is upgraded.
Developer experience:
* Updated the KDB interface. The sign_authdata() method is replaced
with the issue_pac() method, allowing KDB modules to add logon info
and other buffers to the PAC issued by the KDC.
* Host-based initiator names are better supported in the GSS krb5
mechanism.
Protocol evolution:
* Replaced AD-SIGNEDPATH authdata with minimal PACs.
* To avoid spurious replay errors, password change requests will not
be attempted over UDP until the attempt over TCP fails.
* PKINIT will sign its CMS messages with SHA-256 instead of SHA-1.
Code quality:
* Updated all code using OpenSSL to be compatible with OpenSSL 3.
* Reorganized the libk5crypto build system to allow the OpenSSL
back-end to pull in material from the builtin back-end depending on
the OpenSSL version.
* Simplified the PRNG logic to always use the platform PRNG.
* Converted the remaining Tcl tests to Python.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmKQAGgACgkQDLoIV1+D
ct9NnBAAxbuqwI/OQrXdCnMZyMMD3Oc4ODvx+5Zmt93owaZ4RSx6WwS8FNIlcFjX
C47JbF79uwh817GMGJUCdnH7pI+hxzBmxxs1F0j+7nLWF+vDs9mPHxMkWOiY9ZNu
8ADE3XRyHSgGOOb0zbndPS3RsbYnsHMQfbtNIbxNIJfyTF32wmPrsuGlhhEKEzu2
7m8V8DBfL5PwMLefsl8Mu45xqD8II7eg5HjIe7kmEbGseDS2C5XOrj4ieWm++0Pc
dfl1eHKyuCWkUaJyBBjIGRe+WL8D/OKRkXrtIgMcX7AwFdnRrMDqDduoD9vNQvGE
4PNcORkCdw4R7UWv2qXOvoxHKz/Bv6ctkd94FRsGoJrFeOIf+0L53y2Zf+s+ntVC
p70glQhcAZr/wdKPm2V1QmuIib+y7bZRBcIcbmEZcjexQaIzUHFdwMzm3Y8MAGJu
h8GZ7tktGAQWdgUKRFP2ZlDnUEl6a7GgmoOyUcgo2RxDgiunBcdgLVNeVkkEZCPv
xKdntPgcgrObb6J73JfHZLWBZ6bMpaEm9MziEP50ZvITlD2Q+CxyCJo9fbgqvhXf
z6JaNiVWR0blHGpQA8eeUW6bToEjndYPumxbGyRRfTIpcaAZYyeY9MFBiDJmDM98
U4oPRd15Ws1swsuc+EsJKUo+OiCLj7saF87WSE2Kke+SOfo8evA=
=aPCW
-----END PGP SIGNATURE-----
_______________________________________________
kerberos-announce mailing list
kerberos...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos-announce
Todd Heron
May 29, 2022, 6:42:11 AM5/29/22
to
Will this release bake into the Microsoft Windows Active Directory version of Kerberos, which uses Kerberos v5?
0 new messages