SHA256
1
0
forked from pool/krb5
krb5/0005-krb5-1.6.3-ktutil-manpage.patch

37 lines
1011 B
Diff
Raw Normal View History

Accepting request 670179 from home:scabrero:branches:network - Upgrade to 1.17. Major changes: Administrator experience: * A new Kerberos database module using the Lightning Memory-Mapped Database library (LMDB) has been added. The LMDB KDB module should be more performant and more robust than the DB2 module, and may become the default module for new databases in a future release. * "kdb5_util dump" will no longer dump policy entries when specific principal names are requested. Developer experience: * The new krb5_get_etype_info() API can be used to retrieve enctype, salt, and string-to-key parameters from the KDC for a client principal. * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise principal names to be used with GSS-API functions. * KDC and kadmind modules which call com_err() will now write to the log file in a format more consistent with other log messages. * Programs which use large numbers of memory credential caches should perform better. Protocol evolution: * The SPAKE pre-authentication mechanism is now supported. This mechanism protects against password dictionary attacks without requiring any additional infrastructure such as certificates. SPAKE is enabled by default on clients, but must be manually enabled on the KDC for this release. * PKINIT freshness tokens are now supported. Freshness tokens can protect against scenarios where an attacker uses temporary access to a smart card to generate authentication requests for the future. * Password change operations now prefer TCP over UDP, to avoid spurious error messages about replays when a response packet is dropped. * The KDC now supports cross-realm S4U2Self requests when used with a third-party KDB module such as Samba's. The client code for cross-realm S4U2Self requests is also now more robust. User experience: * The new ktutil addent -f flag can be used to fetch salt information from the KDC for password-based keys. * The new kdestroy -p option can be used to destroy a credential cache within a collection by client principal name. * The Kerberos man page has been restored, and documents the environment variables that affect programs using the Kerberos library. Code quality: * Python test scripts now use Python 3. * Python test scripts now display markers in verbose output, making it easier to find where a failure occurred within the scripts. * The Windows build system has been simplified and updated to work with more recent versions of Visual Studio. A large volume of unused Windows-specific code has been removed. Visual Studio 2013 or later is now required. - Use systemd-tmpfiles to create files under /var/lib/kerberos, required by transactional updates; (bsc#1100126); - Rename patches: * krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch * krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch * krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch * krb5-1.6.3-gssapi_improve_errormessages.dif to 0004-krb5-1.6.3-gssapi_improve_errormessages.patch * krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch * krb5-1.12-api.patch => 0006-krb5-1.12-api.patch * krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch * krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch * krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch - Upgrade to 1.17. Major changes: Administrator experience: * A new Kerberos database module using the Lightning Memory-Mapped Database library (LMDB) has been added. The LMDB KDB module should be more performant and more robust than the DB2 module, and may become the default module for new databases in a future release. * "kdb5_util dump" will no longer dump policy entries when specific principal names are requested. Developer experience: * The new krb5_get_etype_info() API can be used to retrieve enctype, salt, and string-to-key parameters from the KDC for a client principal. * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise principal names to be used with GSS-API functions. * KDC and kadmind modules which call com_err() will now write to the log file in a format more consistent with other log messages. * Programs which use large numbers of memory credential caches should perform better. Protocol evolution: * The SPAKE pre-authentication mechanism is now supported. This mechanism protects against password dictionary attacks without requiring any additional infrastructure such as certificates. SPAKE is enabled by default on clients, but must be manually enabled on the KDC for this release. * PKINIT freshness tokens are now supported. Freshness tokens can protect against scenarios where an attacker uses temporary access to a smart card to generate authentication requests for the future. * Password change operations now prefer TCP over UDP, to avoid spurious error messages about replays when a response packet is dropped. * The KDC now supports cross-realm S4U2Self requests when used with a third-party KDB module such as Samba's. The client code for cross-realm S4U2Self requests is also now more robust. User experience: * The new ktutil addent -f flag can be used to fetch salt information from the KDC for password-based keys. * The new kdestroy -p option can be used to destroy a credential cache within a collection by client principal name. * The Kerberos man page has been restored, and documents the environment variables that affect programs using the Kerberos library. Code quality: * Python test scripts now use Python 3. * Python test scripts now display markers in verbose output, making it easier to find where a failure occurred within the scripts. * The Windows build system has been simplified and updated to work with more recent versions of Visual Studio. A large volume of unused Windows-specific code has been removed. Visual Studio 2013 or later is now required. - Use systemd-tmpfiles to create files under /var/lib/kerberos, required by transactional updates; (bsc#1100126); - Rename patches: * krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch * krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch * krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch * krb5-1.6.3-gssapi_improve_errormessages.dif to 0004-krb5-1.6.3-gssapi_improve_errormessages.patch * krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch * krb5-1.12-api.patch => 0006-krb5-1.12-api.patch * krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch * krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch * krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch OBS-URL: https://build.opensuse.org/request/show/670179 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=212
2019-02-13 18:01:33 +01:00
From af0fe879800e72101b6d306c1b510880aec7cdaa Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:14:47 +0100
Subject: [PATCH 5/9] krb5-1.6.3-ktutil-manpage
Import krb5-1.6.3-ktutil-manpage.dif
---
src/man/ktutil.man | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/man/ktutil.man b/src/man/ktutil.man
index 4e174c0fe..f6d6ae814 100644
--- a/src/man/ktutil.man
+++ b/src/man/ktutil.man
@@ -171,6 +171,18 @@ ktutil:
.sp
See kerberos(7) for a description of Kerberos environment
variables.
+.SH REMARKS
+Changes to the keytab are appended to the keytab file (i.e., the keytab file
+is never overwritten). To directly modify a keytab, save the changes to a
+temporary file and then overwrite the keytab file of interest.
+.TP
+.nf
+Example:
+ktutil> rkt /etc/krb5.keytab
+(modifications to keytab)
+ktutil> wkt /tmp/krb5.newtab
+ktutil> q
+# mv /tmp/krb5.newtab /etc/krb5.keytab
.SH SEE ALSO
.sp
kadmin(1), kdb5_util(8), kerberos(7)
--
2.20.1