aboutsummaryrefslogtreecommitdiff
path: root/security/krb5
Commit message (Collapse)AuthorAgeFilesLines
* Welcome the new security/krb5-116 port. This port follows MIT'sCy Schubert2017-12-061-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | KRB5 1.16 releases. Major changes in 1.16 (2017-12-05) ================================== Administrator experience: * The KDC can match PKINIT client certificates against the "pkinit_cert_match" string attribute on the client principal entry, using the same syntax as the existing "pkinit_cert_match" profile option. * The ktutil addent command supports the "-k 0" option to ignore the key version, and the "-s" option to use a non-default salt string. * kpropd supports a --pid-file option to write a pid file at startup, when it is run in standalone mode. * The "encrypted_challenge_indicator" realm option can be used to attach an authentication indicator to tickets obtained using FAST encrypted challenge pre-authentication. * Localization support can be disabled at build time with the --disable-nls configure option. Developer experience: * The kdcpolicy pluggable interface allows modules control whether tickets are issued by the KDC. * The kadm5_auth pluggable interface allows modules to control whether kadmind grants access to a kadmin request. * The certauth pluggable interface allows modules to control which PKINIT client certificates can authenticate to which client principals. * KDB modules can use the client and KDC interface IP addresses to determine whether to allow an AS request. * GSS applications can query the bit strength of a krb5 GSS context using the GSS_C_SEC_CONTEXT_SASL_SSF OID with gss_inquire_sec_context_by_oid(). * GSS applications can query the impersonator name of a krb5 GSS credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with gss_inquire_cred_by_oid(). * kdcpreauth modules can query the KDC for the canonicalized requested client principal name, or match a principal name against the requested client principal name with canonicalization. Protocol evolution: * The client library will continue to try pre-authentication mechanisms after most failure conditions. * The KDC will issue trivially renewable tickets (where the renewable lifetime is equal to or less than the ticket lifetime) if requested by the client, to be friendlier to scripts. * The client library will use a random nonce for TGS requests instead of the current system time. * For the RC4 string-to-key or PAC operations, UTF-16 is supported (previously only UCS-2 was supported). * When matching PKINIT client certificates, UPN SANs will be matched correctly as UPNs, with canonicalization. User experience: * Dates after the year 2038 are accepted (provided that the platform time facilities support them), through the year 2106. * Automatic credential cache selection based on the client realm will take into account the fallback realm and the service hostname. * Referral and alternate cross-realm TGTs will not be cached, avoiding some scenarios where they can be added to the credential cache multiple times. * A German translation has been added. Notes: svn path=/head/; revision=455634
* Follow up on r455423.Cy Schubert2017-12-051-1/+1
| | | | | | | Pointy hat to: rene Notes: svn path=/head/; revision=455567
* Now that krb5 1.15.1 is GA, make krb5-115 default.Cy Schubert2017-03-041-1/+1
| | | | Notes: svn path=/head/; revision=435379
* Remove expired krb5-112. It was mistakenly "re-added" by r427588.Cy Schubert2016-12-031-1/+1
| | | | Notes: svn path=/head/; revision=427589
* Welcome the new security/krb5-115 port. This port follows MIT'sCy Schubert2016-12-031-1/+1
| | | | | | | | | | | | | | | | | KRB5 1.15 releases. To support this new ports: - The security/krb5 port includes an option to use this port instead of krb5-114 as its base. krb5-114 will remain the default until the next release of KRB5 1.15 (if it's stable of course). - MIT by default deprecates KRB5 two versions back from the current release. krb5-113 has been deprecated and will expire one year from now. Notes: svn path=/head/; revision=427588
* This is the second part of two commits, the first being r403749.Cy Schubert2015-12-151-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adopt the same port structure as used by the cfengine family of ports: security/krb5 is renamed to security/krb5-114. A brand new security/krb5 now becomes a master port for the family of security/krb5-* ports. The default installs krb5-1.14. There is no functional change to the port build nor does the name of the latest krb5 port and package change. Users can continue to install security/krb5 to track the latest major version of security/krb5. Users wishing to install a specific version branch of krb5 can continue to install any of the security/krb5-* ports or by setting KRB5_VERSION in make.conf make.conf or including the branch on the make command line during build: make KRB5_VERSIN=NNN make -V VERSIONS lists available versions. security/krb5-appl has been updated to support this change (also fixing a typo in the krb5-appl/Makefile). Inspired by: sysutils/cfengine Notes: svn path=/head/; revision=403760
* Move security/krb5 to security/krb5-114 in preparation for restructuringCy Schubert2015-12-1512-575/+0
| | | | | | | | | of the krb5 faimily of ports. Inspired by: the cfengine family of ports Notes: svn path=/head/; revision=403759
* Introduce the new krb5 1.14:Cy Schubert2015-11-214-25/+9
| | | | | | | | | | | | | - move (copy) krb5 (krb5 1.13.2) to krb5-113 (new, added) - update krb5 1.13.2 --> 1.14 - update CONFLICTS in krb5, krb5-112 and krb5-113. - update krb5-appl to allow optional dependency on krb5-113. - update security/Makefile with copied krb5-113. - deprecate and expire krb5-112 (krb5-1.12) on November 20, 2016, as it will EOL twelve months after the release of krb5-1.14. Notes: svn path=/head/; revision=402143
* Add sonames and minor versioned library names.Cy Schubert2015-10-213-7/+22
| | | | | | | PR: 203882 Notes: svn path=/head/; revision=399891
* Bump PORTREVISION.Cy Schubert2015-10-191-1/+1
| | | | Notes: svn path=/head/; revision=399634
* Fix READLINE option.Cy Schubert2015-10-191-5/+16
| | | | | | | | Add support for libedit (LIBEDIT option). Both command line editing options now supported by RADIO button. Notes: svn path=/head/; revision=399631
* Remove configuration argument used during testing.Cy Schubert2015-08-311-1/+0
| | | | Notes: svn path=/head/; revision=395671
* Fix build under 11-CURRENT. r378417 introduced a libreadline linkCy Schubert2015-08-311-7/+2
| | | | | | | | | | | workaround due to libtool not working with 11-CURRENT at the time. The workaround now causes grief under 11-CURRENT and needs to be removed. PR: 202782 Notes: svn path=/head/; revision=395651
* MIT KRB5 ports build unusable binaries due to incorrect linkingCy Schubert2015-06-061-2/+3
| | | | | | | when build under poudriere. This commit fixes that. Notes: svn path=/head/; revision=388684
* Fix armv5 build.Cy Schubert2015-05-102-1/+2
| | | | | | | | PR: 200100 Submitted by: mikael.urankar@gmail.com Notes: svn path=/head/; revision=385961
* Update 1.13.1 --> 1.13.2Cy Schubert2015-05-092-4/+3
| | | | Notes: svn path=/head/; revision=385889
* - Display a stage-qa warning when ports use PREFIX/var instead of /varTijl Coosemans2015-04-201-1/+1
| | | | | | | | | | | | | | | | | | | | | - Add --localstatedir=/var to _LATE_CONFIGURE_ARGS (like --mandir) but not when CONFIGURE_ARGS already sets it. (GNU configure scripts set it to PREFIX/var when PREFIX != /usr.) - Add --localstatedir="${PREFIX}/var" to CONFIGURE_ARGS in some ports so they aren't affected by this change (for now at least). This commit is meant to ensure that new ports don't make the same mistake. - games/acm: the configure script in this port is very old; instead of patching it more, just replace GNU_CONFIGURE with HAS_CONFIGURE. - irc/charybdis: it already used /var but adding --localstatedir=/var changed the behaviour of the configure script; adjust the port to this. PR: 199506 Exp-run by: antoine Approved by: portmgr (antoine) Notes: svn path=/head/; revision=384380
* dvertise CPE data for Kerberos.Cy Schubert2015-03-051-1/+5
| | | | | | | PR: 197465 Notes: svn path=/head/; revision=380546
* Fix broken rpath.Cy Schubert2015-02-201-9/+18
| | | | | | | Submitted by: hrs Notes: svn path=/head/; revision=379469
* Update 1.13 --> 1.13.1, incorporates MITKRB5-SA-2015-001 (committed inCy Schubert2015-02-132-7/+3
| | | | | | | r378417). Notes: svn path=/head/; revision=378907
* Fix gcc5 build for DragonFly BSD.Cy Schubert2015-02-122-1/+11
| | | | | | | | PR: 197561 Submitted by: marino Notes: svn path=/head/; revision=378897
* Correct various packaging issues:Cy Schubert2015-02-053-39/+36
| | | | | | | | | | | | - Libraries are not installed stripped; - pkgconfig files should be installed to libdata; - Use of deprecated @dirrm[try] PR: PR/197338 Submitted by: delphij Notes: svn path=/head/; revision=378441
* Address: krb5 -- Vulnerabilities in kadmind, libgssrpc,Cy Schubert2015-02-042-0/+10
| | | | | | | | | | | | | | | | | | | gss_process_context_token VU#540092 CVE-2014-5352: gss_process_context_token() incorrectly frees context CVE-2014-9421: kadmind doubly frees partial deserialization results CVE-2014-9422: kadmind incorrectly validates server principal name CVE-2014-9423: libgssrpc server applications leak uninitialized bytes Security: VUXML: 24ce5597-acab-11e4-a847-206a8a720317 Security: MIT KRB5: VU#540092 Security: CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423 Notes: svn path=/head/; revision=378417
* - Remove support for EXTRACT_PRESERVE_OWNERSHIPAntoine Brodin2014-12-141-7/+1
| | | | | | | | | | - Update a few comments related to extract Differential Revision: https://reviews.freebsd.org/D1189 With hat: portmgr Notes: svn path=/head/; revision=374698
* Fix LATEST_LINK.Cy Schubert2014-10-181-1/+0
| | | | Notes: svn path=/head/; revision=371142
* MIT Kerberos released 1.13; 1.12 becomes a maintenance release,Cy Schubert2014-10-165-23/+18
| | | | | | | | | | | | | 1.11 remains a maintenance release. - Update security/krb5 1.12.2 --> 1.13 - Copy the old security/krb5 1.12.2 to security/krb5-112 (now a maintenance release supported by MIT) - Move the old krb5-maint (1.11.5: old maintenance release) to security/krb5-111 (the old maintenance release still supported by MIT) Notes: svn path=/head/; revision=371019
* Update 1.12.1 --> 1.12.2.Cy Schubert2014-08-133-22/+13
| | | | | | | Add readline non-default option. Notes: svn path=/head/; revision=364798
* Rename security/ patches to reflect the files they modify.Adam Weinberger2014-07-294-0/+0
| | | | Notes: svn path=/head/; revision=363328
* net/openldap24-*:Tijl Coosemans2014-07-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Convert to USES=libtool and bump dependent ports - Avoid USE_AUTOTOOLS - Don't use PTHREAD_LIBS - Use MAKE_CMD databases/glom: - Drop :keepla - Add INSTALL_TARGET=install-strip databases/libgda4* databases/libgda5*: - Convert to USES=libtool and bump dependent ports - USES=tar:xz - Use INSTALL_TARGET=install-strip - Use @sample databases/libgdamm: - Drop :keepla - USES=tar:bzip2 - Use INSTALL_TARGET=install-strip databases/libgdamm5: - Add INSTALL_TARGET=install-strip - Drop --enable-static (inherited from old repocopy) devel/anjuta x11-toolkits/py-gnome-extras: - Drop :keepla dns/powerdns dns/powerdns-devel: - Convert to USES=libtool - Add INSTALL_TARGET=install-strip - Disable static modules - Stop creating library symlinks with .0 suffix, not needed for dynamically opened modules mail/dovecot2: - Add USES=libtool mail/dovecot2-pigeonhole: - Drop CONFIGURE_TARGET (incorrect for Dragonfly) - Add USES=libtool and INSTALL_TARGET=install-strip math/gnumeric: - USES=libtool tar:xz Approved by: portmgr (implicit, bump unstaged ports) Notes: svn path=/head/; revision=362835
* Fix build when KRB5_HOME != LOCALBASE.Cy Schubert2014-05-271-3/+4
| | | | | | | Submitted by: hrs Notes: svn path=/head/; revision=355569
* Allow package build (make stage/make package) for non-root user.Cy Schubert2014-05-062-16/+25
| | | | | | | Submitted by: John Hein <john.hein@microsemi.com> Notes: svn path=/head/; revision=353055
* Finely tune KRB5_HOME test when using LIB_DEPENDS. in the case whenCy Schubert2014-04-241-0/+2
| | | | | | | KRB5_HOME is set to LOCALBASE. Notes: svn path=/head/; revision=351983
* Remove extraneious MAN assignments.Cy Schubert2014-04-231-9/+0
| | | | Notes: svn path=/head/; revision=351910
* - Add a startup script for kpropdBrad Davis2014-04-212-1/+30
| | | | | | | | | PR: 183502 Submitted by: brd@ Approved by: bdrewery@ Notes: svn path=/head/; revision=351689
* Fix new patch.Cy Schubert2014-04-192-35/+29
| | | | | | | Point hat to: self Notes: svn path=/head/; revision=351580
* KRB5_HOME no longer works with LIB_DEPENDS. Mark broken when set.Cy Schubert2014-04-181-0/+1
| | | | Notes: svn path=/head/; revision=351512
* 1. Fix build when using clang 3.4.Cy Schubert2014-04-173-7/+71
| | | | | | | | | | | 2. RTM_OLDADD and RTM_OLDDEL were removed from -stable. Thanks alfred@ for this patch. 3. Stagify. Submitted by: alfred (#2) Notes: svn path=/head/; revision=351495
* Update 1.12 --> 1.12.1Cy Schubert2014-01-162-3/+3
| | | | Notes: svn path=/head/; revision=339911
* Update krb5 to 1.12. Security/krb5 tracks MIT KRB5 current release.Cy Schubert2013-12-124-34/+36
| | | | | | | | | | | | | | Adjust the newly created krb5-maint with a new portname and conflicts. Krb5-maint is a maintenance release for those who wish to use the previous release of krb5. krb5-maint remains at 1.11.3. Adjust CONFLICTS in security/heimdal and security/srp to account for the newly repocopied krb5-maint. Adjust security/Makefile to include krb5-maint. Notes: svn path=/head/; revision=336247
* pkg-plist fixup.Cy Schubert2013-12-111-0/+3
| | | | Notes: svn path=/head/; revision=336221
* Add LDAP support.Cy Schubert2013-12-112-3/+15
| | | | | | | | PR: 184557 Submitted by: Erick Turnquist <jhujhiti@adjectivism.org> Notes: svn path=/head/; revision=336138
* Add NO_STAGE all over the place in preparation for the staging support (cat: ↵Baptiste Daroussin2013-09-201-0/+1
| | | | | | | security) Notes: svn path=/head/; revision=327769
* Convert to new perl frameworkBaptiste Daroussin2013-09-161-3/+2
| | | | | | | Convert USE_GMAKE to USES=gmake Notes: svn path=/head/; revision=327417
* Add an empty directory created by the port to pkg-plistAntoine Brodin2013-06-212-0/+4
| | | | | | | Approved by: portmgr (miwi) Notes: svn path=/head/; revision=321478
* Update krb5 1.11.2 --> 1.11.3.Cy Schubert2013-06-042-3/+3
| | | | | | | | | | | | | | This is a bugfix release. * Fix a UDP ping-pong vulnerability in the kpasswd (password changing) service. [CVE-2002-2443] * Improve interoperability with some Windows native PKINIT clients. Security: CVE-2002-2443 Notes: svn path=/head/; revision=319823
* - Convert USE_GETTEXT to USES (part 3)Alex Kozlov2013-04-241-1/+1
| | | | | | | Approved by: portmgr (bapt) Notes: svn path=/head/; revision=316464
* Update 1.11.1 --> 1.11.2Cy Schubert2013-04-173-28/+4
| | | | | | | | | | | | | | | | | | | | Major changes in 1.11.2 (2013-04-12) ==================================== This is a bugfix release. * Incremental propagation could erroneously act as if a slave's database were current after the slave received a full dump that failed to load. * gss_import_sec_context incorrectly set internal state that identifies whether an imported context is from an interposer mechanism or from the underlying mechanism. Feature safe: yes Notes: svn path=/head/; revision=315921
* - Remove A/An in COMMENTCarlo Strub2013-03-291-1/+1
| | | | | | | - Trim Header where applicable Notes: svn path=/head/; revision=315566
* Reset ulog if database load failed.Cy Schubert2013-03-052-0/+24
| | | | | | | | | Avoids a slave reporting it is current when a full resync fails. Obtained from: https://github.com/rbasch/krb5/commit/2ef5ae0607d1c317a936e439b4be7a6f5184dc Notes: svn path=/head/; revision=313458
* Update 1.11 --> 1.11.1.Cy Schubert2013-02-222-3/+3
| | | | | | | Security: Fix a null pointer dereference in the KDC PKINIT code [CVE-2013-1415]. Notes: svn path=/head/; revision=312788
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-12 12:52:56 +0000