It has long been an issue that heimdal installs "su" which shadows
system su and behaves differently. Now, with openssl 1.1, many people
are getting heimdal installed that did not expect it or ask for it.
(Really, heimdal should be split into libraries and apps, so that
programs can have kerberos support without adding commands to the
user's namespace, but this is vastly easier.)
(In response to on-list complaints, and believing this will not be
contoversial.)
New features
* Support for reading MIT database file directly
* KCM is polished up and now used in production
* NTLM first class citizen, credentials stored in KCM
* Table driven ASN.1 compiler, smaller!, not enabled by default
* Native Windows client support
Notes
* Disabled write support NDBM hdb backend (read still in there) since
it can't handle large records, please migrate to a diffrent backend
(like BDB4)
Changes 1.3.3:
Bug fixes
* Check the GSS-API checksum exists before trying to use it [CVE-2010-1321]
* Check NULL pointers before dereference them [kdc]
Changes 1.3.2:
Bug fixes
* Don't mix length when clearing hmac (could memset too much)
* More paranoid underrun checking when decrypting packets
* Check the password change requests and refuse to answer empty packets
* Build on OpenSolaris
* Renumber AD-SIGNED-TICKET since it was stolen from US
* Don't cache /dev/*random file descriptor, it doesn't get unloaded
* Make C++ safe
* Misc warnings
* Read-only PKCS11 provider built-in to hx509.
* Better compatibilty with Windows 2008 Server pre-releases and Vista.
* Add RFC3526 modp group14 as default.
* Handle [kdc] database = { } entries without realm = stanzas.
* Add gss_pseudo_random() for mechglue and krb5.
* Make session key for the krbtgt be selected by the best encryption
type of the client.
* Better interoperability with other PK-INIT implementations.
* Alias support for inital ticket requests.
* Make ASN.1 library less paranoid to with regard to NUL in string to
make it inter-operate with MIT Kerberos again.
* PK-INIT support.
* HDB extensions support, used by PK-INIT.
* New ASN.1 compiler.
* GSS-API mechglue from FreeBSD.
* Updated SPNEGO to support RFC4178.
* Support for Cryptosystem Negotiation Extension (RFC 4537).
* A new X.509 library (hx509) and related crypto functions.
* A new ntlm library (heimntlm) and related crypto functions.
* KDC will return the "response too big" error to force TCP retries
for large (default 1400 bytes) UDP replies. This is common for
PK-INIT requests.
* Libkafs defaults to use 2b tokens.
* krb5_kuserok() also checks ~/.k5login.d directory for acl files.
* Fix memory leaks.
* Bugs fixes
