70aa357ac9
- Upgrade to 1.18 Administrator experience: * Remove support for single-DES encryption types. * Change the replay cache format to be more efficient and robust. Replay cache filenames using the new format end with ".rcache2" by default. * setuid programs will automatically ignore environment variables that normally affect krb5 API functions, even if the caller does not use krb5_init_secure_context(). * Add an "enforce_ok_as_delegate" krb5.conf relation to disable credential forwarding during GSSAPI authentication unless the KDC sets the ok-as-delegate bit in the service ticket. * Use the permitted_enctypes krb5.conf setting as the default value for default_tkt_enctypes and default_tgs_enctypes. Developer experience: * Implement krb5_cc_remove_cred() for all credential cache types. * Add the krb5_pac_get_client_info() API to get the client account name from a PAC. Protocol evolution: * Add KDC support for S4U2Self requests where the user is identified by X.509 certificate. (Requires support for certificate lookup from a third-party KDB module.) * Remove support for an old ("draft 9") variant of PKINIT. * Add support for Microsoft NegoEx. (Requires one or more third-party GSS modules implementing NegoEx mechanisms.) User experience: * Add support for "dns_canonicalize_hostname=fallback", causing host-based principal names to be tried first without DNS canonicalization, and again with DNS canonicalization if the un-canonicalized server is not found. * Expand single-component hostnames in host-based principal names when DNS canonicalization is not used, adding the system's first DNS search path as a suffix. Add a "qualify_shortname" krb5.conf relation to override this suffix or disable expansion. * Honor the transited-policy-checked ticket flag on application servers, eliminating the requirement to configure capaths on servers in some scenarios. Code quality: * The libkrb5 serialization code (used to export and import krb5 GSS security contexts) has been simplified and made type-safe. * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED messages has been revised to conform to current coding practices. * The test suite has been modified to work with macOS System Integrity Protection enabled. * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support can always be tested. - Updated patches: * 0002-krb5-1.9-manpaths.patch * 0004-krb5-1.6.3-gssapi_improve_errormessages.patch * 0005-krb5-1.6.3-ktutil-manpage.patch * 0006-krb5-1.12-api.patch - Renamed patches: * 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch * 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch * 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch * 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch - Deleted patches: * 0007-krb5-1.12-ksu-path.patch - Upgrade to 1.18 Administrator experience: * Remove support for single-DES encryption types. * Change the replay cache format to be more efficient and robust. Replay cache filenames using the new format end with ".rcache2" by default. * setuid programs will automatically ignore environment variables that normally affect krb5 API functions, even if the caller does not use krb5_init_secure_context(). * Add an "enforce_ok_as_delegate" krb5.conf relation to disable credential forwarding during GSSAPI authentication unless the KDC sets the ok-as-delegate bit in the service ticket. * Use the permitted_enctypes krb5.conf setting as the default value for default_tkt_enctypes and default_tgs_enctypes. Developer experience: * Implement krb5_cc_remove_cred() for all credential cache types. * Add the krb5_pac_get_client_info() API to get the client account name from a PAC. Protocol evolution: * Add KDC support for S4U2Self requests where the user is identified by X.509 certificate. (Requires support for certificate lookup from a third-party KDB module.) * Remove support for an old ("draft 9") variant of PKINIT. * Add support for Microsoft NegoEx. (Requires one or more third-party GSS modules implementing NegoEx mechanisms.) User experience: * Add support for "dns_canonicalize_hostname=fallback", causing host-based principal names to be tried first without DNS canonicalization, and again with DNS canonicalization if the un-canonicalized server is not found. * Expand single-component hostnames in host-based principal names when DNS canonicalization is not used, adding the system's first DNS search path as a suffix. Add a "qualify_shortname" krb5.conf relation to override this suffix or disable expansion. * Honor the transited-policy-checked ticket flag on application servers, eliminating the requirement to configure capaths on servers in some scenarios. Code quality: * The libkrb5 serialization code (used to export and import krb5 GSS security contexts) has been simplified and made type-safe. * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED messages has been revised to conform to current coding practices. * The test suite has been modified to work with macOS System Integrity Protection enabled. * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support can always be tested. - Updated patches: * 0002-krb5-1.9-manpaths.patch * 0004-krb5-1.6.3-gssapi_improve_errormessages.patch * 0005-krb5-1.6.3-ktutil-manpage.patch * 0006-krb5-1.12-api.patch - Renamed patches: * 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch * 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch * 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch * 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch - Deleted patches: * 0007-krb5-1.12-ksu-path.patch OBS-URL: https://build.opensuse.org/request/show/777881 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=224
45 lines
1.5 KiB
Diff
45 lines
1.5 KiB
Diff
From f079a7f765dc76eb01ba80fb7214ee0d25116e59 Mon Sep 17 00:00:00 2001
|
|
From: Samuel Cabrero <scabrero@suse.de>
|
|
Date: Mon, 14 Jan 2019 13:18:16 +0100
|
|
Subject: [PATCH 8/8] krb5-1.9-debuginfo
|
|
|
|
Import krb5-1.9-debuginfo.patch
|
|
|
|
We want to keep these y.tab.c files around because the debuginfo points to
|
|
them. It would be more elegant at the end to use symbolic links, but that
|
|
could mess up people working in the tree on other things.
|
|
---
|
|
src/kadmin/cli/Makefile.in | 5 +++++
|
|
src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 +-
|
|
2 files changed, 6 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in
|
|
index adfea6e2b..8e89cf03b 100644
|
|
--- a/src/kadmin/cli/Makefile.in
|
|
+++ b/src/kadmin/cli/Makefile.in
|
|
@@ -37,3 +37,8 @@ clean-unix::
|
|
# CC_LINK is not meant for compilation and this use may break in the future.
|
|
datetest: getdate.c
|
|
$(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c
|
|
+
|
|
+%.c: %.y
|
|
+ $(RM) y.tab.c $@
|
|
+ $(YACC.y) $<
|
|
+ $(CP) y.tab.c $@
|
|
diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in
|
|
index 8669c2436..a22f23c02 100644
|
|
--- a/src/plugins/kdb/ldap/ldap_util/Makefile.in
|
|
+++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in
|
|
@@ -20,7 +20,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIB) $(GETDATE)
|
|
getdate.c: $(GETDATE)
|
|
$(RM) getdate.c y.tab.c
|
|
$(YACC) $(GETDATE)
|
|
- $(MV) y.tab.c getdate.c
|
|
+ $(CP) y.tab.c getdate.c
|
|
|
|
install:
|
|
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
|
|
--
|
|
2.25.0
|
|
|