freebsd-ports/security/krb5-116/pkg-descr

Kerberos V5 is an authentication system developed at MIT.
WWW: http://web.mit.edu/kerberos/

Abridged from the User Guide:
       Under Kerberos, a client sends a request for a ticket to the
   Key Distribution Center (KDC). The KDC creates a ticket-granting
   ticket (TGT) for the client, encrypts it using the client's
   password as the key, and sends the encrypted TGT back to the
   client. The client then attempts to decrypt the TGT, using
   its password. If the client successfully decrypts the TGT, it
   keeps the decrypted TGT, which indicates proof of the client's
   identity. The TGT permits the client to obtain additional tickets,
   which give permission for specific services.
       Since Kerberos negotiates authenticated, and optionally encrypted,
   communications between two points anywhere on the internet, it
   provides a layer of security that is not dependent on which side of a
   firewall either client is on.
       The Kerberos V5 package is designed to be easy to use. Most of the
   commands are nearly identical to UNIX network programs you are already
   used to. Kerberos V5 is a single-sign-on system, which means that you
   have to type your password only once per session, and Kerberos does
   the authenticating and encrypting transparently.

Jacques Vidrine <n@nectar.com>
Welcome the new security/krb5-116 port. This port follows MIT's KRB5 1.16 releases. Major changes in 1.16 (2017-12-05) ================================== Administrator experience: * The KDC can match PKINIT client certificates against the "pkinit_cert_match" string attribute on the client principal entry, using the same syntax as the existing "pkinit_cert_match" profile option. * The ktutil addent command supports the "-k 0" option to ignore the key version, and the "-s" option to use a non-default salt string. * kpropd supports a --pid-file option to write a pid file at startup, when it is run in standalone mode. * The "encrypted_challenge_indicator" realm option can be used to attach an authentication indicator to tickets obtained using FAST encrypted challenge pre-authentication. * Localization support can be disabled at build time with the --disable-nls configure option. Developer experience: * The kdcpolicy pluggable interface allows modules control whether tickets are issued by the KDC. * The kadm5_auth pluggable interface allows modules to control whether kadmind grants access to a kadmin request. * The certauth pluggable interface allows modules to control which PKINIT client certificates can authenticate to which client principals. * KDB modules can use the client and KDC interface IP addresses to determine whether to allow an AS request. * GSS applications can query the bit strength of a krb5 GSS context using the GSS_C_SEC_CONTEXT_SASL_SSF OID with gss_inquire_sec_context_by_oid(). * GSS applications can query the impersonator name of a krb5 GSS credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with gss_inquire_cred_by_oid(). * kdcpreauth modules can query the KDC for the canonicalized requested client principal name, or match a principal name against the requested client principal name with canonicalization. Protocol evolution: * The client library will continue to try pre-authentication mechanisms after most failure conditions. * The KDC will issue trivially renewable tickets (where the renewable lifetime is equal to or less than the ticket lifetime) if requested by the client, to be friendlier to scripts. * The client library will use a random nonce for TGS requests instead of the current system time. * For the RC4 string-to-key or PAC operations, UTF-16 is supported (previously only UCS-2 was supported). * When matching PKINIT client certificates, UPN SANs will be matched correctly as UPNs, with canonicalization. User experience: * Dates after the year 2038 are accepted (provided that the platform time facilities support them), through the year 2106. * Automatic credential cache selection based on the client realm will take into account the fallback realm and the service hostname. * Referral and alternate cross-realm TGTs will not be cached, avoiding some scenarios where they can be added to the credential cache multiple times. * A German translation has been added. 2017-12-06 05:18:14 +01:00			`Kerberos V5 is an authentication system developed at MIT.`
			`WWW: http://web.mit.edu/kerberos/`

			`Abridged from the User Guide:`
			`Under Kerberos, a client sends a request for a ticket to the`
			`Key Distribution Center (KDC). The KDC creates a ticket-granting`
			`ticket (TGT) for the client, encrypts it using the client's`
			`password as the key, and sends the encrypted TGT back to the`
			`client. The client then attempts to decrypt the TGT, using`
			`its password. If the client successfully decrypts the TGT, it`
			`keeps the decrypted TGT, which indicates proof of the client's`
			`identity. The TGT permits the client to obtain additional tickets,`
			`which give permission for specific services.`
			`Since Kerberos negotiates authenticated, and optionally encrypted,`
			`communications between two points anywhere on the internet, it`
			`provides a layer of security that is not dependent on which side of a`
			`firewall either client is on.`
			`The Kerberos V5 package is designed to be easy to use. Most of the`
			`commands are nearly identical to UNIX network programs you are already`
			`used to. Kerberos V5 is a single-sign-on system, which means that you`
			`have to type your password only once per session, and Kerberos does`
			`the authenticating and encrypting transparently.`

			`Jacques Vidrine <n@nectar.com>`