diff options
| author | Cy Schubert <cy@FreeBSD.org> | 2017-12-06 04:18:14 +0000 |
|---|---|---|
| committer | Cy Schubert <cy@FreeBSD.org> | 2017-12-06 04:18:14 +0000 |
| commit | 23733c04712f6a29767e8121035ecf5243e3d37b (patch) | |
| tree | 3920b7717ee27f398a1e2fc925398d2e14891ef8 /security/Makefile | |
| parent | e9f9800cb2116da43242df531ec906565777cfbd (diff) | |
| download | ports-23733c04712f6a29767e8121035ecf5243e3d37b.tar.gz ports-23733c04712f6a29767e8121035ecf5243e3d37b.zip | |
Welcome the new security/krb5-116 port. This port follows MIT's
KRB5 1.16 releases.
Major changes in 1.16 (2017-12-05)
==================================
Administrator experience:
* The KDC can match PKINIT client certificates against the
"pkinit_cert_match" string attribute on the client principal entry,
using the same syntax as the existing "pkinit_cert_match" profile
option.
* The ktutil addent command supports the "-k 0" option to ignore the
key version, and the "-s" option to use a non-default salt string.
* kpropd supports a --pid-file option to write a pid file at startup,
when it is run in standalone mode.
* The "encrypted_challenge_indicator" realm option can be used to
attach an authentication indicator to tickets obtained using FAST
encrypted challenge pre-authentication.
* Localization support can be disabled at build time with the
--disable-nls configure option.
Developer experience:
* The kdcpolicy pluggable interface allows modules control whether
tickets are issued by the KDC.
* The kadm5_auth pluggable interface allows modules to control whether
kadmind grants access to a kadmin request.
* The certauth pluggable interface allows modules to control which
PKINIT client certificates can authenticate to which client
principals.
* KDB modules can use the client and KDC interface IP addresses to
determine whether to allow an AS request.
* GSS applications can query the bit strength of a krb5 GSS context
using the GSS_C_SEC_CONTEXT_SASL_SSF OID with
gss_inquire_sec_context_by_oid().
* GSS applications can query the impersonator name of a krb5 GSS
credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with
gss_inquire_cred_by_oid().
* kdcpreauth modules can query the KDC for the canonicalized requested
client principal name, or match a principal name against the
requested client principal name with canonicalization.
Protocol evolution:
* The client library will continue to try pre-authentication
mechanisms after most failure conditions.
* The KDC will issue trivially renewable tickets (where the renewable
lifetime is equal to or less than the ticket lifetime) if requested
by the client, to be friendlier to scripts.
* The client library will use a random nonce for TGS requests instead
of the current system time.
* For the RC4 string-to-key or PAC operations, UTF-16 is supported
(previously only UCS-2 was supported).
* When matching PKINIT client certificates, UPN SANs will be matched
correctly as UPNs, with canonicalization.
User experience:
* Dates after the year 2038 are accepted (provided that the platform
time facilities support them), through the year 2106.
* Automatic credential cache selection based on the client realm will
take into account the fallback realm and the service hostname.
* Referral and alternate cross-realm TGTs will not be cached, avoiding
some scenarios where they can be added to the credential cache
multiple times.
* A German translation has been added.
Notes
Notes:
svn path=/head/; revision=455634
Diffstat (limited to 'security/Makefile')
| -rw-r--r-- | security/Makefile | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/security/Makefile b/security/Makefile index 44a50d53dcc8..a4ff8f4b5ba9 100644 --- a/security/Makefile +++ b/security/Makefile @@ -312,6 +312,7 @@ SUBDIR += krb5 SUBDIR += krb5-114 SUBDIR += krb5-115 + SUBDIR += krb5-116 SUBDIR += krb5-appl SUBDIR += krb5-devel SUBDIR += kripp |