diff options
author | Cy Schubert <cy@FreeBSD.org> | 2020-02-19 02:42:55 +0000 |
---|---|---|
committer | Cy Schubert <cy@FreeBSD.org> | 2020-02-19 02:42:55 +0000 |
commit | 191d528d94725f80024feb03aa8764c3e4531891 (patch) | |
tree | e02c4848492b866e959bd4f409cdfa613a3d0460 /security/Makefile | |
parent | 37f3668a5106868772781a4f8d135a1ecf6b0d4d (diff) | |
download | ports-191d528d94725f80024feb03aa8764c3e4531891.tar.gz ports-191d528d94725f80024feb03aa8764c3e4531891.zip |
Welcome the new KRB5 1.18 (krb5-118)
In addition, deprecate krb5-116 to retire one year after the release
of krb5-118: Feb 12, 2021.
Major changes in 1.18 (2020-02-12)
==================================
Administrator experience:
* Remove support for single-DES encryption types.
* Change the replay cache format to be more efficient and robust.
Replay cache filenames using the new format end with ".rcache2" by
default.
* setuid programs will automatically ignore environment variables that
normally affect krb5 API functions, even if the caller does not use
krb5_init_secure_context().
* Add an "enforce_ok_as_delegate" krb5.conf relation to disable
credential forwarding during GSSAPI authentication unless the KDC
sets the ok-as-delegate bit in the service ticket.
* Use the permitted_enctypes krb5.conf setting as the default value
for default_tkt_enctypes and default_tgs_enctypes.
Developer experience:
* Implement krb5_cc_remove_cred() for all credential cache types.
* Add the krb5_pac_get_client_info() API to get the client account
name from a PAC.
Protocol evolution:
* Add KDC support for S4U2Self requests where the user is identified
by X.509 certificate. (Requires support for certificate lookup from
a third-party KDB module.)
* Remove support for an old ("draft 9") variant of PKINIT.
* Add support for Microsoft NegoEx. (Requires one or more third-party
GSS modules implementing NegoEx mechanisms.)
* Honor the transited-policy-checked ticket flag on application
servers, eliminating the requirement to configure capaths on
servers in some scenarios.
User experience:
* Add support for "dns_canonicalize_hostname=fallback""`, causing
host-based principal names to be tried first without DNS
canonicalization, and again with DNS canonicalization if the
un-canonicalized server is not found.
* Expand single-component hostnames in host-based principal names when
DNS canonicalization is not used, adding the system's first DNS
search path as a suffix. Add a "qualify_shortname" krb5.conf
relation to override this suffix or disable expansion.
Code quality:
* The libkrb5 serialization code (used to export and import krb5 GSS
security contexts) has been simplified and made type-safe.
* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
messages has been revised to conform to current coding practices.
* The test suite has been modified to work with macOS System Integrity
Protection enabled.
* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11
support can always be tested.
Notes
Notes:
svn path=/head/; revision=526479
Diffstat (limited to 'security/Makefile')
-rw-r--r-- | security/Makefile | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/security/Makefile b/security/Makefile index 05faa0617561..e2b729f33e06 100644 --- a/security/Makefile +++ b/security/Makefile @@ -262,6 +262,7 @@ SUBDIR += krb5 SUBDIR += krb5-116 SUBDIR += krb5-117 + SUBDIR += krb5-118 SUBDIR += krb5-appl SUBDIR += krb5-devel SUBDIR += kripp |