1. Forum
  2. Usenet
  3. COMP.PROTOCOLS.KERBEROS

  • krb5-1.20 is released

    From Greg Hudson@21:1/5 to All on Thu May 26 18:35:46 2022
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    The MIT Kerberos Team announces the availability of MIT Kerberos 5
    Release 1.20. Please see below for a list of some major changes
    included, or consult the README file in the source tree for a more
    detailed list of significant changes.

    RETRIEVING KERBEROS 5 RELEASE 1.20
    ==================================

    You may retrieve the Kerberos 5 Release 1.20 source from the
    following URL:

    https://kerberos.org/dist/

    The homepage for the krb5-1.20 release is:

    https://web.mit.edu/kerberos/krb5-1.20/

    Further information about Kerberos 5 may be found at the following
    URL:

    https://web.mit.edu/kerberos/

    and at the MIT Kerberos Consortium web site:

    https://www.kerberos.org/


    PAC transition
    ==============

    Beginning with release 1.20, the KDC will include minimal PACs in
    tickets instead of AD-SIGNEDPATH authdata. S4U requests (protocol
    transition and constrained delegation) must now contain valid PACs in
    the incoming tickets. If only some KDCs in a realm have been upgraded
    across version 1.20, the upgraded KDCs will reject S4U requests
    containing tickets from non-upgraded KDCs and vice versa.


    Triple-DES transition
    =====================

    Beginning with the krb5-1.19 release, a warning will be issued if
    initial credentials are acquired using the des3-cbc-sha1 encryption
    type. In future releases, this encryption type will be disabled by
    default and eventually removed.

    Beginning with the krb5-1.18 release, single-DES encryption types have
    been removed.


    Major changes in 1.20 (2022-05-26)
    ==================================

    Administrator experience:

    * Added a "disable_pac" realm relation to suppress adding PAC authdata
    to tickets, for realms which do not need to support S4U requests.

    * Most credential cache types will use atomic replacement when a cache
    is reinitialized using kinit or refreshed from the client keytab.

    * kprop can now propagate databases with a dump size larger than 4GB,
    if both the client and server are upgraded.

    * kprop can now work over NATs that change the destination IP address,
    if the client is upgraded.

    Developer experience:

    * Updated the KDB interface. The sign_authdata() method is replaced
    with the issue_pac() method, allowing KDB modules to add logon info
    and other buffers to the PAC issued by the KDC.

    * Host-based initiator names are better supported in the GSS krb5
    mechanism.

    Protocol evolution:

    * Replaced AD-SIGNEDPATH authdata with minimal PACs.

    * To avoid spurious replay errors, password change requests will not
    be attempted over UDP until the attempt over TCP fails.

    * PKINIT will sign its CMS messages with SHA-256 instead of SHA-1.

    Code quality:

    * Updated all code using OpenSSL to be compatible with OpenSSL 3.

    * Reorganized the libk5crypto build system to allow the OpenSSL
    back-end to pull in material from the builtin back-end depending on
    the OpenSSL version.

    * Simplified the PRNG logic to always use the platform PRNG.

    * Converted the remaining Tcl tests to Python.
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmKQAGgACgkQDLoIV1+D ct9NnBAAxbuqwI/OQrXdCnMZyMMD3Oc4ODvx+5Zmt93owaZ4RSx6WwS8FNIlcFjX C47JbF79uwh817GMGJUCdnH7pI+hxzBmxxs1F0j+7nLWF+vDs9mPHxMkWOiY9ZNu 8ADE3XRyHSgGOOb0zbndPS3RsbYnsHMQfbtNIbxNIJfyTF32wmPrsuGlhhEKEzu2 7m8V8DBfL5PwMLefsl8Mu45xqD8II7eg5HjIe7kmEbGseDS2C5XOrj4ieWm++0Pc dfl1eHKyuCWkUaJyBBjIGRe+WL8D/OKRkXrtIgMcX7AwFdnRrMDqDduoD9vNQvGE 4PNcORkCdw4R7UWv2qXOvoxHKz/Bv6ctkd94FRsGoJrFeOIf+0L53y2Zf+s+ntVC p70glQhcAZr/wdKPm2V1QmuIib+y7bZRBcIcbmEZcjexQaIzUHFdwMzm3Y8MAGJu h8GZ7tktGAQWdgUKRFP2ZlDnUEl6a7GgmoOyUcgo2RxDgiunBcdgLVNeVkkEZCPv xKdntPgcgrObb6J73JfHZLWBZ6bMpaEm9MziEP50ZvITlD2Q+CxyCJo9fbgqvhXf z6JaNiVWR0blHGpQA8eeUW6bToEjndYPumxbGyRRfTIpcaAZYyeY9MFBiDJmDM98 U4oPRd15Ws1swsuc+EsJKUo+OiCLj7saF87WSE2Kke+SOfo8evA=
    =aPCW
    -----END PGP SIGNATURE-----
    _______________________________________________
    kerberos-announce mailing list
    kerberos-announce@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos-announce

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Todd Heron@21:1/5 to Greg Hudson on Sun May 29 03:42:09 2022
    Will this release bake into the Microsoft Windows Active Directory version of Kerberos, which uses Kerberos v5?

    On Thursday, May 26, 2022 at 6:38:06 PM UTC-4, Greg Hudson wrote:
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    The MIT Kerberos Team announces the availability of MIT Kerberos 5
    Release 1.20. Please see below for a list of some major changes
    included, or consult the README file in the source tree for a more
    detailed list of significant changes.

    RETRIEVING KERBEROS 5 RELEASE 1.20
    ==================================

    You may retrieve the Kerberos 5 Release 1.20 source from the
    following URL:

    https://kerberos.org/dist/

    The homepage for the krb5-1.20 release is:

    https://web.mit.edu/kerberos/krb5-1.20/

    Further information about Kerberos 5 may be found at the following
    URL:

    https://web.mit.edu/kerberos/

    and at the MIT Kerberos Consortium web site:

    https://www.kerberos.org/


    PAC transition
    ==============

    Beginning with release 1.20, the KDC will include minimal PACs in
    tickets instead of AD-SIGNEDPATH authdata. S4U requests (protocol
    transition and constrained delegation) must now contain valid PACs in
    the incoming tickets. If only some KDCs in a realm have been upgraded
    across version 1.20, the upgraded KDCs will reject S4U requests
    containing tickets from non-upgraded KDCs and vice versa.


    Triple-DES transition
    =====================

    Beginning with the krb5-1.19 release, a warning will be issued if
    initial credentials are acquired using the des3-cbc-sha1 encryption
    type. In future releases, this encryption type will be disabled by
    default and eventually removed.

    Beginning with the krb5-1.18 release, single-DES encryption types have
    been removed.


    Major changes in 1.20 (2022-05-26)
    ==================================

    Administrator experience:

    * Added a "disable_pac" realm relation to suppress adding PAC authdata
    to tickets, for realms which do not need to support S4U requests.

    * Most credential cache types will use atomic replacement when a cache
    is reinitialized using kinit or refreshed from the client keytab.

    * kprop can now propagate databases with a dump size larger than 4GB,
    if both the client and server are upgraded.

    * kprop can now work over NATs that change the destination IP address,
    if the client is upgraded.

    Developer experience:

    * Updated the KDB interface. The sign_authdata() method is replaced
    with the issue_pac() method, allowing KDB modules to add logon info
    and other buffers to the PAC issued by the KDC.

    * Host-based initiator names are better supported in the GSS krb5
    mechanism.

    Protocol evolution:

    * Replaced AD-SIGNEDPATH authdata with minimal PACs.

    * To avoid spurious replay errors, password change requests will not
    be attempted over UDP until the attempt over TCP fails.

    * PKINIT will sign its CMS messages with SHA-256 instead of SHA-1.

    Code quality:

    * Updated all code using OpenSSL to be compatible with OpenSSL 3.

    * Reorganized the libk5crypto build system to allow the OpenSSL
    back-end to pull in material from the builtin back-end depending on
    the OpenSSL version.

    * Simplified the PRNG logic to always use the platform PRNG.

    * Converted the remaining Tcl tests to Python.
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmKQAGgACgkQDLoIV1+D ct9NnBAAxbuqwI/OQrXdCnMZyMMD3Oc4ODvx+5Zmt93owaZ4RSx6WwS8FNIlcFjX C47JbF79uwh817GMGJUCdnH7pI+hxzBmxxs1F0j+7nLWF+vDs9mPHxMkWOiY9ZNu 8ADE3XRyHSgGOOb0zbndPS3RsbYnsHMQfbtNIbxNIJfyTF32wmPrsuGlhhEKEzu2 7m8V8DBfL5PwMLefsl8Mu45xqD8II7eg5HjIe7kmEbGseDS2C5XOrj4ieWm++0Pc dfl1eHKyuCWkUaJyBBjIGRe+WL8D/OKRkXrtIgMcX7AwFdnRrMDqDduoD9vNQvGE 4PNcORkCdw4R7UWv2qXOvoxHKz/Bv6ctkd94FRsGoJrFeOIf+0L53y2Zf+s+ntVC p70glQhcAZr/wdKPm2V1QmuIib+y7bZRBcIcbmEZcjexQaIzUHFdwMzm3Y8MAGJu h8GZ7tktGAQWdgUKRFP2ZlDnUEl6a7GgmoOyUcgo2RxDgiunBcdgLVNeVkkEZCPv xKdntPgcgrObb6J73JfHZLWBZ6bMpaEm9MziEP50ZvITlD2Q+CxyCJo9fbgqvhXf z6JaNiVWR0blHGpQA8eeUW6bToEjndYPumxbGyRRfTIpcaAZYyeY9MFBiDJmDM98 U4oPRd15Ws1swsuc+EsJKUo+OiCLj7saF87WSE2Kke+SOfo8evA=
    =aPCW
    -----END PGP SIGNATURE-----
    _______________________________________________
    kerberos-announce mailing list
    kerberos...@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos-announce

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)