Major changes in 1.18:
Administrator experience
* Remove support for single-DES encryption types.
* Change the replay cache format to be more efficient and robust. Replay cache filenames using the new format end with ".rcache2" by default.
* setuid programs will automatically ignore environment variables that normally affect krb5 API functions, even if the caller does not use krb5_init_secure_context().
* Add an "enforce_ok_as_delegate" krb5.conf relation to disable credential forwarding during GSSAPI authentication unless the KDC sets the ok-as-delegate bit in the service ticket.
* Use the permitted_enctypes krb5.conf setting as the default value for default_tkt_enctypes and default_tgs_enctypes.
Developer experience
* Implement krb5_cc_remove_cred() for all credential cache types.
* Add the krb5_pac_get_client_info() API to get the client account name from a PAC.
Protocol evolution
* Add KDC support for S4U2Self requests where the user is identified by X.509 certificate. (Requires support for certificate lookup from a third-party KDB module.)
* Remove support for an old ("draft 9") variant of PKINIT.
* Add support for Microsoft NegoEx. (Requires one or more third-party GSS modules implementing NegoEx mechanisms.)
User experience
* Add support for "dns_canonicalize_hostname=fallback", causing host-based principal names to be tried first without DNS canonicalization, and again with DNS canonicalization if the un-canonicalized server is not found.
* Expand single-component hostnames in host-based principal names when DNS canonicalization is not used, adding the system's first DNS search path as a suffix. Add a "qualify_shortname" krb5.conf relation to override this suffix or disable expansion.
* Honor the transited-policy-checked ticket flag on application servers, eliminating the requirement to configure capaths on servers in some scenarios.
Code quality
* The libkrb5 serialization code (used to export and import krb5 GSS security contexts) has been simplified and made type-safe.
* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED messages has been revised to conform to current coding practices.
* The test suite has been modified to work with macOS System Integrity Protection enabled.
* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support can always be tested.
Major changes in 1.17.1:
This is a bug fix release.
* Fix a bug preventing "addprinc -randkey -kvno" from working in kadmin.
* Fix a bug preventing time skew correction from working when a KCM credential cache is used.
Major changes in 1.17:
Administrator experience
* A new Kerberos database module using the Lightning Memory-Mapped Database library (LMDB) has been added. The LMDB KDB module should be more performant and more robust than the DB2 module, and may become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific principal names are requested.
* kpropd supports a --pid-file option to write a pid file at startup, when it is run in standalone mode.
Developer experience
* The new krb5_get_etype_info() API can be used to retrieve enctype, salt, and string-to-key parameters from the KDC for a client principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should perform better.
Protocol evolution
* The SPAKE pre-authentication mechanism is now supported. This mechanism protects against password dictionary attacks without requiring any additional infrastructure such as certificates. SPAKE is enabled by default on clients, but must be manually enabled on the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can protect against scenarios where an attacker uses temporary access to a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid spurious error messages about replays when a response packet is dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a third-party KDB module such as Samba's. The client code for cross-realm S4U2Self requests is also now more robust.
User experience
* The new ktutil addent -f flag can be used to fetch salt information from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache within a collection by client principal name.
* The Kerberos man page has been restored, and documents the environment variables that affect programs using the Kerberos library.
Code quality
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work with more recent versions of Visual Studio. A large volume of unused Windows-specific code has been removed. Visual Studio 2013 or later is now required.
pkglint -r --network --only "migrate"
As a side-effect of migrating the homepages, pkglint also fixed a few
indentations in unrelated lines. These and the new homepages have been
checked manually.
The libtool-ification caused plugins to have a "lib" prefix, causing a mismatch
with what the code was trying to dlopen(), and failures. Bump PKGREVISION.
Fix conflict with hmac symbol from libc, from Naveen Narayanan.
Update configure option, it was renamed. Bump PKGREVISION for that.
Small pkglint fix while here.
Major changes in 1.16.2
This is a bug fix release.
Fix bugs with concurrent use of MEMORY ccache handles.
Fix a KDC crash when falling back between multiple OTP tokens configured for a principal entry.
Fix memory bugs when gss_add_cred() is used to create a new credential, and fix a bug where it ignores the desired_name.
Fix the behavior of gss_inquire_cred_by_mech() when the credential does not contain an element of the requested mechanism.
Make cross-realm S4U2Self requests work on the client when no default_realm is configured.
Add a kerberos(7) man page containing documentation of the environment variables that affect Kerberos programs.
making generate-files-mac in kadmin...
making generate-files-mac in kadmin/cli...
../../util/ss/mk_cmds kadmin_ct.ct
/usr/bin/yacc getdate.y
"getdate.y", line 180: fatal: invalid escape, or illegal reserved word: expect
*** Error code 1
-- use bison(1) instead.
Major changes in 1.16.1 (2018-05-03)
This is a bug fix release.
Fix flaws in LDAP DN checking, including a null dereference KDC crash which could be triggered by kadmin clients with administrative privileges [CVE-2018-5729, CVE-2018-5730].
Fix a KDC PKINIT memory leak.
Fix a small KDC memory leak on transited or authdata errors when processing TGS requests.
Fix a regression in pkinit_cert_match matching of client certificates containing Microsoft UPN SANs.
Fix a null dereference when the KDC sends a large TGS reply.
Fix "kdestroy -A" with the KCM credential cache type.
Allow validation of Microsoft PACs containing enterprise names.
Fix the handling of capaths "." values.
Fix handling of repeated subsection specifications in profile files (such as when multiple included files specify relations in the same subsection).
Major changes in 1.16 (2017-12-05)
Administrator experience:
The KDC can match PKINIT client certificates against the "pkinit_cert_match" string attribute on the client principal entry, using the same syntax as the existing "pkinit_cert_match" profile option.
The ktutil addent command supports the "-k 0" option to ignore the key version, and the "-s" option to use a non-default salt string.
kpropd supports a --pid-file option to write a pid file at startup, when it is run in standalone mode.
The "encrypted_challenge_indicator" realm option can be used to attach an authentication indicator to tickets obtained using FAST encrypted challenge pre-authentication.
Localization support can be disabled at build time with the --disable-nls configure option.
Developer experience:
The kdcpolicy pluggable interface allows modules control whether tickets are issued by the KDC.
The kadm5_auth pluggable interface allows modules to control whether kadmind grants access to a kadmin request.
The certauth pluggable interface allows modules to control which PKINIT client certificates can authenticate to which client principals.
KDB modules can use the client and KDC interface IP addresses to determine whether to allow an AS request.
GSS applications can query the bit strength of a krb5 GSS context using the GSS_C_SEC_CONTEXT_SASL_SSF OID with gss_inquire_sec_context_by_oid().
GSS applications can query the impersonator name of a krb5 GSS credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with gss_inquire_cred_by_oid().
kdcpreauth modules can query the KDC for the canonicalized requested client principal name, or match a principal name against the requested client principal name with canonicalization.
Protocol evolution:
The client library will continue to try pre-authentication mechanisms after most failure conditions.
The KDC will issue trivially renewable tickets (where the renewable lifetime is equal to or less than the ticket lifetime) if requested by the client, to be friendlier to scripts.
The client library will use a random nonce for TGS requests instead of the current system time.
For the RC4 string-to-key or PAC operations, UTF-16 is supported (previously only UCS-2 was supported).
When matching PKINIT client certificates, UPN SANs will be matched correctly as UPNs, with canonicalization.
User experience:
Dates after the year 2038 are accepted (provided that the platform time facilities support them), through the year 2106.
Automatic credential cache selection based on the client realm will take into account the fallback realm and the service hostname.
Referral and alternate cross-realm TGTs will not be cached, avoiding some scenarios where they can be added to the credential cache multiple times.
A German translation has been added.
Code quality:
The build is warning-clean under clang with the configured warning options.
The automated test suite runs cleanly under AddressSanitizer.
Major changes in 1.15.3 (2018-05-03)
This is a bug fix release.
Fix flaws in LDAP DN checking, including a null dereference KDC crash which could be triggered by kadmin clients with administrative privileges [CVE-2018-5729, CVE-2018-5730].
Fix a KDC PKINIT memory leak.
Fix a small KDC memory leak on transited or authdata errors when processing TGS requests.
Fix a null dereference when the KDC sends a large TGS reply.
Fix "kdestroy -A" with the KCM credential cache type.
Fix the handling of capaths "." values.
Fix handling of repeated subsection specifications in profile files (such as when multiple included files specify relations in the same subsection).
Major changes in 1.15.2 (2017-09-25)
This is a bug fix release.
Fix a KDC denial of service vulnerability caused by unset status strings [CVE-2017-11368]
Preserve GSS contexts on init/accept failure [CVE-2017-11462]
Fix kadm5 setkey operation with LDAP KDB module
Use a ten-second timeout after successful connection for HTTPS KDC requests, as we do for TCP requests
Fix client null dereference when KDC offers encrypted challenge without FAST
Ignore dotfiles when processing profile includedir directive
Improve documentation
Major changes in 1.15.1 (2017-03-01)
This is a bug fix release.
Allow KDB modules to determine how the e_data field of principal fields is freed
Fix udp_preference_limit when the KDC location is configured with SRV records
Fix KDC and kadmind startup on some IPv4-only systems
Fix the processing of PKINIT certificate matching rules which have two components and no explicit relation
Improve documentation
Major changes in 1.15 (2016-12-01)
Administrator experience:
Improve support for multihomed Kerberos servers by adding options for specifying restricted listening addresses for the KDC and kadmind.
Add support to kadmin for remote extraction of current keys without changing them (requires a special kadmin permission that is excluded from the wildcard permission), with the exception of highly protected keys.
Add a lockdown_keys principal attribute to prevent retrieval of the principal's keys (old or new) via the kadmin protocol. In newly created databases, this attribute is set on the krbtgt and kadmin principals.
Restore recursive dump capability for DB2 back end, so sites can more easily recover from database corruption resulting from power failure events.
Add DNS auto-discovery of KDC and kpasswd servers from URI records, in addition to SRV records. URI records can convey TCP and UDP servers and master KDC status in a single DNS lookup, and can also point to HTTPS proxy servers.
Add support for password history to the LDAP back end.
Add support for principal renaming to the LDAP back end.
Use the getrandom system call on supported Linux kernels to avoid blocking problems when getting entropy from the operating system.
In the PKINIT client, use the correct DigestInfo encoding for PKCS #1 signatures, so that some especially strict smart cards will work.
Code quality:
Clean up numerous compilation warnings.
Remove various infrequently built modules, including some preauth modules that were not built by default.
Developer experience:
Add support for building with OpenSSL 1.1.
Use SHA-256 instead of MD5 for (non-cryptographic) hashing of authenticators in the replay cache. This helps sites that must build with FIPS 140 conformant libraries that lack MD5.
Eliminate util/reconf and allow the use of autoreconf alone to regenerate the configure script.
Protocol evolution:
Add support for the AES-SHA2 enctypes, which allows sites to conform to Suite B crypto requirements.
Major changes in 1.14.6 (2017-09-25)
This is a bug fix release.
Fix a KDC denial of service vulnerability caused by unset status strings [CVE-2017-11368]
Preserve GSS contexts on init/accept failure [CVE-2017-11462]
Fix kadm5 setkey operation with LDAP KDB module
Use a ten-second timeout after successful connection for HTTPS KDC requests, as we do for TCP requests
Fix client null dereference when KDC offers encrypted challenge without FAST
for all pkgsrc dir/file ownership rules. Fixes unprivileged
user/group names from leaking into binary packages, manifest as
non-fatal chown/chgrp failure messages at pkg_add time.
Bump respective packages' PKGREVISION.
The RTM_RESOLVE symbol has been removed after the following change in
src/sys/net/route.h:
revision 1.98
date: 2016-04-04 09:37:07 +0200; author: ozaki-r; state: Exp; lines: +8 -6; commitid: r0chxU5ZkTdAqh1z;
Separate nexthop caches from the routing table
Bump PKGREVISION to 1
Problems found locating distfiles:
Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
Package libidea: missing distfile libidea-0.8.2b.tar.gz
Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
Package uvscan: missing distfile vlp4510e.tar.Z
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
that are unsupported by the native port of MIT KRB5, and add any flags
necessary to support the builtin version.
Fixes various packages since the change to support the SunOS builtin.
Based on patches by Richard PALO (richard@).
This is a bugfix release. The krb5-1.10 release series is in maintenance, and for new deployments, installers should prefer the krb5-1.11 release series or later.
* Fix a KDC locking issue that could lead to the KDC process holding a persistent lock, preventing administrative actions such as password changes.
* Fix a number of bugs related to KDC master key rollover.
* Fix a KDC null pointer dereference [CVE-2013-1418] that could affect KDCs that serve multiple realms.
