| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
This provides a binary package to users who require MIT KRB5 with LDAP
support. This patch does not change the current, now default, package
name.
PR: 277015
|
| |
|
|
|
| |
krb5-121 is the default krb5 package. While at it remove krb5-119
from the "supported" list.
|
| |
|
|
|
|
|
| |
Welcome the new krb5-120 (1.20) from MIT.
krb5-118 is now deprecated and scheduled for removal a year from
now.
|
| |
|
|
|
|
| |
This makefile was not updated when krb5-117 was removed.
Fixes: e2dd87ef868d82a7b51410eedd638c76340c88fa
|
| |
|
|
|
|
|
|
|
|
| |
While here, add comment in security/krb5 to remember the obscure dependency in
security/sssd so it does not break again.
PR: 244778
Reported by: tommyhp2@gmail.com
Tested by: tommyhp2@gmail.com
MFH: 2021Q2 (build fix)
|
| |
|
|
| |
Reported by: lwhsu
|
| | |
|
| |
|
|
| |
Notes:
svn path=/head/; revision=567561
|
| |
|
|
|
|
|
|
|
|
| |
In addition, deprecate krb5-117 to retire one year after the release
of krb5-119: Feb 1, 2022.
krb5-119 becomes the default krb5 port.
Notes:
svn path=/head/; revision=563782
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In addition, deprecate krb5-116 to retire one year after the release
of krb5-118: Feb 12, 2021.
Major changes in 1.18 (2020-02-12)
==================================
Administrator experience:
* Remove support for single-DES encryption types.
* Change the replay cache format to be more efficient and robust.
Replay cache filenames using the new format end with ".rcache2" by
default.
* setuid programs will automatically ignore environment variables that
normally affect krb5 API functions, even if the caller does not use
krb5_init_secure_context().
* Add an "enforce_ok_as_delegate" krb5.conf relation to disable
credential forwarding during GSSAPI authentication unless the KDC
sets the ok-as-delegate bit in the service ticket.
* Use the permitted_enctypes krb5.conf setting as the default value
for default_tkt_enctypes and default_tgs_enctypes.
Developer experience:
* Implement krb5_cc_remove_cred() for all credential cache types.
* Add the krb5_pac_get_client_info() API to get the client account
name from a PAC.
Protocol evolution:
* Add KDC support for S4U2Self requests where the user is identified
by X.509 certificate. (Requires support for certificate lookup from
a third-party KDB module.)
* Remove support for an old ("draft 9") variant of PKINIT.
* Add support for Microsoft NegoEx. (Requires one or more third-party
GSS modules implementing NegoEx mechanisms.)
* Honor the transited-policy-checked ticket flag on application
servers, eliminating the requirement to configure capaths on
servers in some scenarios.
User experience:
* Add support for "dns_canonicalize_hostname=fallback""`, causing
host-based principal names to be tried first without DNS
canonicalization, and again with DNS canonicalization if the
un-canonicalized server is not found.
* Expand single-component hostnames in host-based principal names when
DNS canonicalization is not used, adding the system's first DNS
search path as a suffix. Add a "qualify_shortname" krb5.conf
relation to override this suffix or disable expansion.
Code quality:
* The libkrb5 serialization code (used to export and import krb5 GSS
security contexts) has been simplified and made type-safe.
* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
messages has been revised to conform to current coding practices.
* The test suite has been modified to work with macOS System Integrity
Protection enabled.
* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11
support can always be tested.
Notes:
svn path=/head/; revision=526479
|
| |
|
|
| |
Notes:
svn path=/head/; revision=524712
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Major changes in 1.17 (2019-01-08)
==================================
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Changes to the FreeBSD krb5* ports include:
* CONFLICTS updated in krb5-115 and krb5-116 taking krb5-117 in
consideration.
* The default krb5 port is now krb5-117.
* MIT's practice is to EOL KRB5 n-2. krb5-115 is deprecated and set
to expire Jan 31, 2020.
Notes:
svn path=/head/; revision=489737
|
| |
|
|
| |
Notes:
svn path=/head/; revision=488834
|
| |
|
|
| |
Notes:
svn path=/head/; revision=463045
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
KRB5 1.16 releases.
Major changes in 1.16 (2017-12-05)
==================================
Administrator experience:
* The KDC can match PKINIT client certificates against the
"pkinit_cert_match" string attribute on the client principal entry,
using the same syntax as the existing "pkinit_cert_match" profile
option.
* The ktutil addent command supports the "-k 0" option to ignore the
key version, and the "-s" option to use a non-default salt string.
* kpropd supports a --pid-file option to write a pid file at startup,
when it is run in standalone mode.
* The "encrypted_challenge_indicator" realm option can be used to
attach an authentication indicator to tickets obtained using FAST
encrypted challenge pre-authentication.
* Localization support can be disabled at build time with the
--disable-nls configure option.
Developer experience:
* The kdcpolicy pluggable interface allows modules control whether
tickets are issued by the KDC.
* The kadm5_auth pluggable interface allows modules to control whether
kadmind grants access to a kadmin request.
* The certauth pluggable interface allows modules to control which
PKINIT client certificates can authenticate to which client
principals.
* KDB modules can use the client and KDC interface IP addresses to
determine whether to allow an AS request.
* GSS applications can query the bit strength of a krb5 GSS context
using the GSS_C_SEC_CONTEXT_SASL_SSF OID with
gss_inquire_sec_context_by_oid().
* GSS applications can query the impersonator name of a krb5 GSS
credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with
gss_inquire_cred_by_oid().
* kdcpreauth modules can query the KDC for the canonicalized requested
client principal name, or match a principal name against the
requested client principal name with canonicalization.
Protocol evolution:
* The client library will continue to try pre-authentication
mechanisms after most failure conditions.
* The KDC will issue trivially renewable tickets (where the renewable
lifetime is equal to or less than the ticket lifetime) if requested
by the client, to be friendlier to scripts.
* The client library will use a random nonce for TGS requests instead
of the current system time.
* For the RC4 string-to-key or PAC operations, UTF-16 is supported
(previously only UCS-2 was supported).
* When matching PKINIT client certificates, UPN SANs will be matched
correctly as UPNs, with canonicalization.
User experience:
* Dates after the year 2038 are accepted (provided that the platform
time facilities support them), through the year 2106.
* Automatic credential cache selection based on the client realm will
take into account the fallback realm and the service hostname.
* Referral and alternate cross-realm TGTs will not be cached, avoiding
some scenarios where they can be added to the credential cache
multiple times.
* A German translation has been added.
Notes:
svn path=/head/; revision=455634
|
| |
|
|
|
|
|
| |
Pointy hat to: rene
Notes:
svn path=/head/; revision=455567
|
| |
|
|
| |
Notes:
svn path=/head/; revision=435379
|
| |
|
|
| |
Notes:
svn path=/head/; revision=427589
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
KRB5 1.15 releases.
To support this new ports:
- The security/krb5 port includes an option to use this port instead
of krb5-114 as its base. krb5-114 will remain the default until the
next release of KRB5 1.15 (if it's stable of course).
- MIT by default deprecates KRB5 two versions back from the current
release. krb5-113 has been deprecated and will expire one year from
now.
Notes:
svn path=/head/; revision=427588
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adopt the same port structure as used by the cfengine family of ports:
security/krb5 is renamed to security/krb5-114.
A brand new security/krb5 now becomes a master port for the family of
security/krb5-* ports. The default installs krb5-1.14. There is no
functional change to the port build nor does the name of the latest krb5
port and package change. Users can continue to install security/krb5
to track the latest major version of security/krb5.
Users wishing to install a specific version branch of krb5 can continue
to install any of the security/krb5-* ports or by setting KRB5_VERSION
in make.conf make.conf or including the branch on the make command line
during build:
make KRB5_VERSIN=NNN
make -V VERSIONS lists available versions.
security/krb5-appl has been updated to support this change (also fixing
a typo in the krb5-appl/Makefile).
Inspired by: sysutils/cfengine
Notes:
svn path=/head/; revision=403760
|
| |
|
|
|
|
|
|
|
| |
of the krb5 faimily of ports.
Inspired by: the cfengine family of ports
Notes:
svn path=/head/; revision=403759
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
- move (copy) krb5 (krb5 1.13.2) to krb5-113 (new, added)
- update krb5 1.13.2 --> 1.14
- update CONFLICTS in krb5, krb5-112 and krb5-113.
- update krb5-appl to allow optional dependency on krb5-113.
- update security/Makefile with copied krb5-113.
- deprecate and expire krb5-112 (krb5-1.12) on November 20, 2016, as it
will EOL twelve months after the release of krb5-1.14.
Notes:
svn path=/head/; revision=402143
|
| |
|
|
|
|
|
| |
PR: 203882
Notes:
svn path=/head/; revision=399891
|
| |
|
|
| |
Notes:
svn path=/head/; revision=399634
|
| |
|
|
|
|
|
|
| |
Add support for libedit (LIBEDIT option).
Both command line editing options now supported by RADIO button.
Notes:
svn path=/head/; revision=399631
|
| |
|
|
| |
Notes:
svn path=/head/; revision=395671
|
| |
|
|
|
|
|
|
|
|
|
| |
workaround due to libtool not working with 11-CURRENT at the time.
The workaround now causes grief under 11-CURRENT and needs to be
removed.
PR: 202782
Notes:
svn path=/head/; revision=395651
|
| |
|
|
|
|
|
| |
when build under poudriere. This commit fixes that.
Notes:
svn path=/head/; revision=388684
|
| |
|
|
|
|
|
|
| |
PR: 200100
Submitted by: mikael.urankar@gmail.com
Notes:
svn path=/head/; revision=385961
|
| |
|
|
| |
Notes:
svn path=/head/; revision=385889
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Add --localstatedir=/var to _LATE_CONFIGURE_ARGS (like --mandir) but not
when CONFIGURE_ARGS already sets it. (GNU configure scripts set it to
PREFIX/var when PREFIX != /usr.)
- Add --localstatedir="${PREFIX}/var" to CONFIGURE_ARGS in some ports so
they aren't affected by this change (for now at least). This commit is
meant to ensure that new ports don't make the same mistake.
- games/acm: the configure script in this port is very old; instead of
patching it more, just replace GNU_CONFIGURE with HAS_CONFIGURE.
- irc/charybdis: it already used /var but adding --localstatedir=/var
changed the behaviour of the configure script; adjust the port to this.
PR: 199506
Exp-run by: antoine
Approved by: portmgr (antoine)
Notes:
svn path=/head/; revision=384380
|
| |
|
|
|
|
|
| |
PR: 197465
Notes:
svn path=/head/; revision=380546
|
| |
|
|
|
|
|
| |
Submitted by: hrs
Notes:
svn path=/head/; revision=379469
|
| |
|
|
|
|
|
| |
r378417).
Notes:
svn path=/head/; revision=378907
|
| |
|
|
|
|
|
|
| |
PR: 197561
Submitted by: marino
Notes:
svn path=/head/; revision=378897
|
| |
|
|
|
|
|
|
|
|
|
|
| |
- Libraries are not installed stripped;
- pkgconfig files should be installed to libdata;
- Use of deprecated @dirrm[try]
PR: PR/197338
Submitted by: delphij
Notes:
svn path=/head/; revision=378441
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
gss_process_context_token VU#540092
CVE-2014-5352: gss_process_context_token() incorrectly frees context
CVE-2014-9421: kadmind doubly frees partial deserialization results
CVE-2014-9422: kadmind incorrectly validates server principal name
CVE-2014-9423: libgssrpc server applications leak uninitialized bytes
Security: VUXML: 24ce5597-acab-11e4-a847-206a8a720317
Security: MIT KRB5: VU#540092
Security: CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423
Notes:
svn path=/head/; revision=378417
|
| |
|
|
|
|
|
|
|
|
| |
- Update a few comments related to extract
Differential Revision: https://reviews.freebsd.org/D1189
With hat: portmgr
Notes:
svn path=/head/; revision=374698
|
| |
|
|
| |
Notes:
svn path=/head/; revision=371142
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
1.11 remains a maintenance release.
- Update security/krb5 1.12.2 --> 1.13
- Copy the old security/krb5 1.12.2 to security/krb5-112
(now a maintenance release supported by MIT)
- Move the old krb5-maint (1.11.5: old maintenance release) to
security/krb5-111 (the old maintenance release still supported by MIT)
Notes:
svn path=/head/; revision=371019
|
| |
|
|
|
|
|
| |
Add readline non-default option.
Notes:
svn path=/head/; revision=364798
|
| |
|
|
| |
Notes:
svn path=/head/; revision=363328
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Convert to USES=libtool and bump dependent ports
- Avoid USE_AUTOTOOLS
- Don't use PTHREAD_LIBS
- Use MAKE_CMD
databases/glom:
- Drop :keepla
- Add INSTALL_TARGET=install-strip
databases/libgda4* databases/libgda5*:
- Convert to USES=libtool and bump dependent ports
- USES=tar:xz
- Use INSTALL_TARGET=install-strip
- Use @sample
databases/libgdamm:
- Drop :keepla
- USES=tar:bzip2
- Use INSTALL_TARGET=install-strip
databases/libgdamm5:
- Add INSTALL_TARGET=install-strip
- Drop --enable-static (inherited from old repocopy)
devel/anjuta x11-toolkits/py-gnome-extras:
- Drop :keepla
dns/powerdns dns/powerdns-devel:
- Convert to USES=libtool
- Add INSTALL_TARGET=install-strip
- Disable static modules
- Stop creating library symlinks with .0 suffix, not needed for dynamically
opened modules
mail/dovecot2:
- Add USES=libtool
mail/dovecot2-pigeonhole:
- Drop CONFIGURE_TARGET (incorrect for Dragonfly)
- Add USES=libtool and INSTALL_TARGET=install-strip
math/gnumeric:
- USES=libtool tar:xz
Approved by: portmgr (implicit, bump unstaged ports)
Notes:
svn path=/head/; revision=362835
|
| |
|
|
|
|
|
| |
Submitted by: hrs
Notes:
svn path=/head/; revision=355569
|
| |
|
|
|
|
|
| |
Submitted by: John Hein <john.hein@microsemi.com>
Notes:
svn path=/head/; revision=353055
|
| |
|
|
|
|
|
| |
KRB5_HOME is set to LOCALBASE.
Notes:
svn path=/head/; revision=351983
|
| |
|
|
| |
Notes:
svn path=/head/; revision=351910
|
| |
|
|
|
|
|
|
|
| |
PR: 183502
Submitted by: brd@
Approved by: bdrewery@
Notes:
svn path=/head/; revision=351689
|
| |
|
|
|
|
|
| |
Point hat to: self
Notes:
svn path=/head/; revision=351580
|
| |
|
|
| |
Notes:
svn path=/head/; revision=351512
|
