Accepting request 777881 from home:scabrero:branches:network
- Upgrade to 1.18
Administrator experience:
* Remove support for single-DES encryption types.
* Change the replay cache format to be more efficient and robust.
Replay cache filenames using the new format end with ".rcache2"
by default.
* setuid programs will automatically ignore environment variables
that normally affect krb5 API functions, even if the caller does
not use krb5_init_secure_context().
* Add an "enforce_ok_as_delegate" krb5.conf relation to disable
credential forwarding during GSSAPI authentication unless the KDC
sets the ok-as-delegate bit in the service ticket.
* Use the permitted_enctypes krb5.conf setting as the default value
for default_tkt_enctypes and default_tgs_enctypes.
Developer experience:
* Implement krb5_cc_remove_cred() for all credential cache types.
* Add the krb5_pac_get_client_info() API to get the client account
name from a PAC.
Protocol evolution:
* Add KDC support for S4U2Self requests where the user is identified
by X.509 certificate. (Requires support for certificate lookup from
a third-party KDB module.)
* Remove support for an old ("draft 9") variant of PKINIT.
* Add support for Microsoft NegoEx. (Requires one or more third-party
GSS modules implementing NegoEx mechanisms.)
User experience:
* Add support for "dns_canonicalize_hostname=fallback", causing
host-based principal names to be tried first without DNS
canonicalization, and again with DNS canonicalization if the
un-canonicalized server is not found.
* Expand single-component hostnames in host-based principal names
when DNS canonicalization is not used, adding the system's first DNS
search path as a suffix. Add a "qualify_shortname" krb5.conf relation
to override this suffix or disable expansion.
* Honor the transited-policy-checked ticket flag on application servers,
eliminating the requirement to configure capaths on servers in some
scenarios.
Code quality:
* The libkrb5 serialization code (used to export and import krb5 GSS
security contexts) has been simplified and made type-safe.
* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
messages has been revised to conform to current coding practices.
* The test suite has been modified to work with macOS System Integrity
Protection enabled.
* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support
can always be tested.
- Updated patches:
* 0002-krb5-1.9-manpaths.patch
* 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* 0005-krb5-1.6.3-ktutil-manpage.patch
* 0006-krb5-1.12-api.patch
- Renamed patches:
* 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch
* 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch
* 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch
* 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch
- Deleted patches:
* 0007-krb5-1.12-ksu-path.patch
- Upgrade to 1.18
Administrator experience:
* Remove support for single-DES encryption types.
* Change the replay cache format to be more efficient and robust.
Replay cache filenames using the new format end with ".rcache2"
by default.
* setuid programs will automatically ignore environment variables
that normally affect krb5 API functions, even if the caller does
not use krb5_init_secure_context().
* Add an "enforce_ok_as_delegate" krb5.conf relation to disable
credential forwarding during GSSAPI authentication unless the KDC
sets the ok-as-delegate bit in the service ticket.
* Use the permitted_enctypes krb5.conf setting as the default value
for default_tkt_enctypes and default_tgs_enctypes.
Developer experience:
* Implement krb5_cc_remove_cred() for all credential cache types.
* Add the krb5_pac_get_client_info() API to get the client account
name from a PAC.
Protocol evolution:
* Add KDC support for S4U2Self requests where the user is identified
by X.509 certificate. (Requires support for certificate lookup from
a third-party KDB module.)
* Remove support for an old ("draft 9") variant of PKINIT.
* Add support for Microsoft NegoEx. (Requires one or more third-party
GSS modules implementing NegoEx mechanisms.)
User experience:
* Add support for "dns_canonicalize_hostname=fallback", causing
host-based principal names to be tried first without DNS
canonicalization, and again with DNS canonicalization if the
un-canonicalized server is not found.
* Expand single-component hostnames in host-based principal names
when DNS canonicalization is not used, adding the system's first DNS
search path as a suffix. Add a "qualify_shortname" krb5.conf relation
to override this suffix or disable expansion.
* Honor the transited-policy-checked ticket flag on application servers,
eliminating the requirement to configure capaths on servers in some
scenarios.
Code quality:
* The libkrb5 serialization code (used to export and import krb5 GSS
security contexts) has been simplified and made type-safe.
* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
messages has been revised to conform to current coding practices.
* The test suite has been modified to work with macOS System Integrity
Protection enabled.
* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support
can always be tested.
- Updated patches:
* 0002-krb5-1.9-manpaths.patch
* 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* 0005-krb5-1.6.3-ktutil-manpage.patch
* 0006-krb5-1.12-api.patch
- Renamed patches:
* 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch
* 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch
* 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch
* 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch
- Deleted patches:
* 0007-krb5-1.12-ksu-path.patch
OBS-URL: https://build.opensuse.org/request/show/777881
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=224
2020-02-25 08:55:08 +01:00
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
|
Version: GnuPG v1
|
|
|
|
|
|
|
|
|
|
iQIcBAABAgAGBQJeREfJAAoJEAy6CFdfg3Lf0sQP/3CCIesW9hqBxbcy9E7RYpfD
|
|
|
|
|
P/MPZ7WpCfOlvgzo3BuDvQGp1WTV+53RP0RPvttSeFnI0clEd6Er4oYE9MmcLjc7
|
|
|
|
|
URyNttUT/vIDbUDHR7ac6zdHM313Z3h30vKL8aEtClg3BhIOI4GJUilEaBeRgEY8
|
|
|
|
|
KYxGvH5M4mmBYDSkELayp/a1El8QEia1sivSerBs/zZQjqUoogmQ0f1pqZUx0nTC
|
|
|
|
|
A+GowpYniz6FEkIRpGVRFuOFbFEuHWMLU33OSxpvHAf/0x1D5wkRJ4EHFFcYhrLu
|
|
|
|
|
T1FvOQGSbUVUXi81bzOhwQOVzZdPk0rc5Q8SLqTefcjNjTIJ+MAxCV1qxv8xpM/X
|
|
|
|
|
VtuyrtJLrDTcqa2hqhHfMVQUcRwSnmotic81GJ1BFowMZCNRgyaCWP+K7KI7OCLF
|
|
|
|
|
ajPmG+Yr/eDao3JavCME6OdLLS/ARTK/JtR1YOS+kPeaBKjkVtXM9y6kGsUuzXIR
|
|
|
|
|
8cyAvlBAIKiFrLWhV44emOEDhzxS9bbgTGQEEQNP6blDjMcNe5PpbZ1opDv9F3kc
|
|
|
|
|
Ga4h0/XZmYrijn0NvzG1szBD8j+vatHlQVaQtw7t7Rt+jMF9TtOTgQy8MD+h3hSx
|
|
|
|
|
1J8GDFlXHGbYdnRnBZWGHeJ1fZaqTpY4D4erDfOHXjH4kCm3Y7Zlaj6eDb0NMzkr
|
|
|
|
|
umorBypPT9mnce2aS43h
|
|
|
|
|
=jxUB
|
|
|
|
|
-----END PGP SIGNATURE-----
|