aboutsummaryrefslogtreecommitdiff
path: root/security/krb5/Makefile
Commit message (Collapse)AuthorAgeFilesLines
* security/krb5*: Flavorize with default and ldap flavorsCy Schubert2024-02-131-0/+2
| | | | | | | | This provides a binary package to users who require MIT KRB5 with LDAP support. This patch does not change the current, now default, package name. PR: 277015
* security/krb5: krb5-121 is now defaultCy Schubert2023-06-061-2/+2
| | | | | krb5-121 is the default krb5 package. While at it remove krb5-119 from the "supported" list.
* security/krb5-120: Welcome new krb5 1.20Cy Schubert2022-05-271-2/+2
| | | | | | | Welcome the new krb5-120 (1.20) from MIT. krb5-118 is now deprecated and scheduled for removal a year from now.
* security/krb5: Remove expirred krb5 versionCy Schubert2022-05-271-1/+1
| | | | | | This makefile was not updated when krb5-117 was removed. Fixes: e2dd87ef868d82a7b51410eedd638c76340c88fa
* security/sssd: Fix package with SMB=onFernando ApesteguĂ­a2021-04-161-0/+2
| | | | | | | | | | While here, add comment in security/krb5 to remember the obscure dependency in security/sssd so it does not break again. PR: 244778 Reported by: tommyhp2@gmail.com Tested by: tommyhp2@gmail.com MFH: 2021Q2 (build fix)
* One more small cleanup, forgotten yesterday.Mathieu Arnold2021-04-071-1/+0
| | | | Reported by: lwhsu
* Remove # $FreeBSD$ from Makefiles.Mathieu Arnold2021-04-061-1/+0
|
* security/krb5: Remove option for non-existant krb5-116Rene Ladan2021-03-071-1/+1
| | | | Notes: svn path=/head/; revision=567561
* Welcome the new KRB5 1.19 (krb5-119)Cy Schubert2021-02-021-2/+2
| | | | | | | | | | In addition, deprecate krb5-117 to retire one year after the release of krb5-119: Feb 1, 2022. krb5-119 becomes the default krb5 port. Notes: svn path=/head/; revision=563782
* Welcome the new KRB5 1.18 (krb5-118)Cy Schubert2020-02-191-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In addition, deprecate krb5-116 to retire one year after the release of krb5-118: Feb 12, 2021. Major changes in 1.18 (2020-02-12) ================================== Administrator experience: * Remove support for single-DES encryption types. * Change the replay cache format to be more efficient and robust. Replay cache filenames using the new format end with ".rcache2" by default. * setuid programs will automatically ignore environment variables that normally affect krb5 API functions, even if the caller does not use krb5_init_secure_context(). * Add an "enforce_ok_as_delegate" krb5.conf relation to disable credential forwarding during GSSAPI authentication unless the KDC sets the ok-as-delegate bit in the service ticket. * Use the permitted_enctypes krb5.conf setting as the default value for default_tkt_enctypes and default_tgs_enctypes. Developer experience: * Implement krb5_cc_remove_cred() for all credential cache types. * Add the krb5_pac_get_client_info() API to get the client account name from a PAC. Protocol evolution: * Add KDC support for S4U2Self requests where the user is identified by X.509 certificate. (Requires support for certificate lookup from a third-party KDB module.) * Remove support for an old ("draft 9") variant of PKINIT. * Add support for Microsoft NegoEx. (Requires one or more third-party GSS modules implementing NegoEx mechanisms.) * Honor the transited-policy-checked ticket flag on application servers, eliminating the requirement to configure capaths on servers in some scenarios. User experience: * Add support for "dns_canonicalize_hostname=fallback""`, causing host-based principal names to be tried first without DNS canonicalization, and again with DNS canonicalization if the un-canonicalized server is not found. * Expand single-component hostnames in host-based principal names when DNS canonicalization is not used, adding the system's first DNS search path as a suffix. Add a "qualify_shortname" krb5.conf relation to override this suffix or disable expansion. Code quality: * The libkrb5 serialization code (used to export and import krb5 GSS security contexts) has been simplified and made type-safe. * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED messages has been revised to conform to current coding practices. * The test suite has been modified to work with macOS System Integrity Protection enabled. * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support can always be tested. Notes: svn path=/head/; revision=526479
* krb5-115 is now history.Cy Schubert2020-01-311-1/+1
| | | | Notes: svn path=/head/; revision=524712
* Welcome the new KRB5 1.17 (krb5-117).Cy Schubert2019-01-081-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Major changes in 1.17 (2019-01-08) ================================== Administrator experience: * A new Kerberos database module using the Lightning Memory-Mapped Database library (LMDB) has been added. The LMDB KDB module should be more performant and more robust than the DB2 module, and may become the default module for new databases in a future release. * "kdb5_util dump" will no longer dump policy entries when specific principal names are requested. Developer experience: * The new krb5_get_etype_info() API can be used to retrieve enctype, salt, and string-to-key parameters from the KDC for a client principal. * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise principal names to be used with GSS-API functions. * KDC and kadmind modules which call com_err() will now write to the log file in a format more consistent with other log messages. * Programs which use large numbers of memory credential caches should perform better. Protocol evolution: * The SPAKE pre-authentication mechanism is now supported. This mechanism protects against password dictionary attacks without requiring any additional infrastructure such as certificates. SPAKE is enabled by default on clients, but must be manually enabled on the KDC for this release. * PKINIT freshness tokens are now supported. Freshness tokens can protect against scenarios where an attacker uses temporary access to a smart card to generate authentication requests for the future. * Password change operations now prefer TCP over UDP, to avoid spurious error messages about replays when a response packet is dropped. * The KDC now supports cross-realm S4U2Self requests when used with a third-party KDB module such as Samba's. The client code for cross-realm S4U2Self requests is also now more robust. User experience: * The new ktutil addent -f flag can be used to fetch salt information from the KDC for password-based keys. * The new kdestroy -p option can be used to destroy a credential cache within a collection by client principal name. * The Kerberos man page has been restored, and documents the environment variables that affect programs using the Kerberos library. Changes to the FreeBSD krb5* ports include: * CONFLICTS updated in krb5-115 and krb5-116 taking krb5-117 in consideration. * The default krb5 port is now krb5-117. * MIT's practice is to EOL KRB5 n-2. krb5-115 is deprecated and set to expire Jan 31, 2020. Notes: svn path=/head/; revision=489737
* Now that krb5-114 is gone, remove the option too.Cy Schubert2018-12-311-1/+1
| | | | Notes: svn path=/head/; revision=488834
* Make krb5-116 default.Cy Schubert2018-02-261-1/+1
| | | | Notes: svn path=/head/; revision=463045
* Welcome the new security/krb5-116 port. This port follows MIT'sCy Schubert2017-12-061-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | KRB5 1.16 releases. Major changes in 1.16 (2017-12-05) ================================== Administrator experience: * The KDC can match PKINIT client certificates against the "pkinit_cert_match" string attribute on the client principal entry, using the same syntax as the existing "pkinit_cert_match" profile option. * The ktutil addent command supports the "-k 0" option to ignore the key version, and the "-s" option to use a non-default salt string. * kpropd supports a --pid-file option to write a pid file at startup, when it is run in standalone mode. * The "encrypted_challenge_indicator" realm option can be used to attach an authentication indicator to tickets obtained using FAST encrypted challenge pre-authentication. * Localization support can be disabled at build time with the --disable-nls configure option. Developer experience: * The kdcpolicy pluggable interface allows modules control whether tickets are issued by the KDC. * The kadm5_auth pluggable interface allows modules to control whether kadmind grants access to a kadmin request. * The certauth pluggable interface allows modules to control which PKINIT client certificates can authenticate to which client principals. * KDB modules can use the client and KDC interface IP addresses to determine whether to allow an AS request. * GSS applications can query the bit strength of a krb5 GSS context using the GSS_C_SEC_CONTEXT_SASL_SSF OID with gss_inquire_sec_context_by_oid(). * GSS applications can query the impersonator name of a krb5 GSS credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with gss_inquire_cred_by_oid(). * kdcpreauth modules can query the KDC for the canonicalized requested client principal name, or match a principal name against the requested client principal name with canonicalization. Protocol evolution: * The client library will continue to try pre-authentication mechanisms after most failure conditions. * The KDC will issue trivially renewable tickets (where the renewable lifetime is equal to or less than the ticket lifetime) if requested by the client, to be friendlier to scripts. * The client library will use a random nonce for TGS requests instead of the current system time. * For the RC4 string-to-key or PAC operations, UTF-16 is supported (previously only UCS-2 was supported). * When matching PKINIT client certificates, UPN SANs will be matched correctly as UPNs, with canonicalization. User experience: * Dates after the year 2038 are accepted (provided that the platform time facilities support them), through the year 2106. * Automatic credential cache selection based on the client realm will take into account the fallback realm and the service hostname. * Referral and alternate cross-realm TGTs will not be cached, avoiding some scenarios where they can be added to the credential cache multiple times. * A German translation has been added. Notes: svn path=/head/; revision=455634
* Follow up on r455423.Cy Schubert2017-12-051-1/+1
| | | | | | | Pointy hat to: rene Notes: svn path=/head/; revision=455567
* Now that krb5 1.15.1 is GA, make krb5-115 default.Cy Schubert2017-03-041-1/+1
| | | | Notes: svn path=/head/; revision=435379
* Remove expired krb5-112. It was mistakenly "re-added" by r427588.Cy Schubert2016-12-031-1/+1
| | | | Notes: svn path=/head/; revision=427589
* Welcome the new security/krb5-115 port. This port follows MIT'sCy Schubert2016-12-031-1/+1
| | | | | | | | | | | | | | | | | KRB5 1.15 releases. To support this new ports: - The security/krb5 port includes an option to use this port instead of krb5-114 as its base. krb5-114 will remain the default until the next release of KRB5 1.15 (if it's stable of course). - MIT by default deprecates KRB5 two versions back from the current release. krb5-113 has been deprecated and will expire one year from now. Notes: svn path=/head/; revision=427588
* This is the second part of two commits, the first being r403749.Cy Schubert2015-12-151-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adopt the same port structure as used by the cfengine family of ports: security/krb5 is renamed to security/krb5-114. A brand new security/krb5 now becomes a master port for the family of security/krb5-* ports. The default installs krb5-1.14. There is no functional change to the port build nor does the name of the latest krb5 port and package change. Users can continue to install security/krb5 to track the latest major version of security/krb5. Users wishing to install a specific version branch of krb5 can continue to install any of the security/krb5-* ports or by setting KRB5_VERSION in make.conf make.conf or including the branch on the make command line during build: make KRB5_VERSIN=NNN make -V VERSIONS lists available versions. security/krb5-appl has been updated to support this change (also fixing a typo in the krb5-appl/Makefile). Inspired by: sysutils/cfengine Notes: svn path=/head/; revision=403760
* Move security/krb5 to security/krb5-114 in preparation for restructuringCy Schubert2015-12-151-156/+0
| | | | | | | | | of the krb5 faimily of ports. Inspired by: the cfengine family of ports Notes: svn path=/head/; revision=403759
* Introduce the new krb5 1.14:Cy Schubert2015-11-211-9/+2
| | | | | | | | | | | | | - move (copy) krb5 (krb5 1.13.2) to krb5-113 (new, added) - update krb5 1.13.2 --> 1.14 - update CONFLICTS in krb5, krb5-112 and krb5-113. - update krb5-appl to allow optional dependency on krb5-113. - update security/Makefile with copied krb5-113. - deprecate and expire krb5-112 (krb5-1.12) on November 20, 2016, as it will EOL twelve months after the release of krb5-1.14. Notes: svn path=/head/; revision=402143
* Add sonames and minor versioned library names.Cy Schubert2015-10-211-1/+1
| | | | | | | PR: 203882 Notes: svn path=/head/; revision=399891
* Bump PORTREVISION.Cy Schubert2015-10-191-1/+1
| | | | Notes: svn path=/head/; revision=399634
* Fix READLINE option.Cy Schubert2015-10-191-5/+16
| | | | | | | | Add support for libedit (LIBEDIT option). Both command line editing options now supported by RADIO button. Notes: svn path=/head/; revision=399631
* Remove configuration argument used during testing.Cy Schubert2015-08-311-1/+0
| | | | Notes: svn path=/head/; revision=395671
* Fix build under 11-CURRENT. r378417 introduced a libreadline linkCy Schubert2015-08-311-7/+2
| | | | | | | | | | | workaround due to libtool not working with 11-CURRENT at the time. The workaround now causes grief under 11-CURRENT and needs to be removed. PR: 202782 Notes: svn path=/head/; revision=395651
* MIT KRB5 ports build unusable binaries due to incorrect linkingCy Schubert2015-06-061-2/+3
| | | | | | | when build under poudriere. This commit fixes that. Notes: svn path=/head/; revision=388684
* Fix armv5 build.Cy Schubert2015-05-101-0/+1
| | | | | | | | PR: 200100 Submitted by: mikael.urankar@gmail.com Notes: svn path=/head/; revision=385961
* Update 1.13.1 --> 1.13.2Cy Schubert2015-05-091-2/+1
| | | | Notes: svn path=/head/; revision=385889
* - Display a stage-qa warning when ports use PREFIX/var instead of /varTijl Coosemans2015-04-201-1/+1
| | | | | | | | | | | | | | | | | | | | | - Add --localstatedir=/var to _LATE_CONFIGURE_ARGS (like --mandir) but not when CONFIGURE_ARGS already sets it. (GNU configure scripts set it to PREFIX/var when PREFIX != /usr.) - Add --localstatedir="${PREFIX}/var" to CONFIGURE_ARGS in some ports so they aren't affected by this change (for now at least). This commit is meant to ensure that new ports don't make the same mistake. - games/acm: the configure script in this port is very old; instead of patching it more, just replace GNU_CONFIGURE with HAS_CONFIGURE. - irc/charybdis: it already used /var but adding --localstatedir=/var changed the behaviour of the configure script; adjust the port to this. PR: 199506 Exp-run by: antoine Approved by: portmgr (antoine) Notes: svn path=/head/; revision=384380
* dvertise CPE data for Kerberos.Cy Schubert2015-03-051-1/+5
| | | | | | | PR: 197465 Notes: svn path=/head/; revision=380546
* Fix broken rpath.Cy Schubert2015-02-201-9/+18
| | | | | | | Submitted by: hrs Notes: svn path=/head/; revision=379469
* Update 1.13 --> 1.13.1, incorporates MITKRB5-SA-2015-001 (committed inCy Schubert2015-02-131-3/+1
| | | | | | | r378417). Notes: svn path=/head/; revision=378907
* Fix gcc5 build for DragonFly BSD.Cy Schubert2015-02-121-1/+1
| | | | | | | | PR: 197561 Submitted by: marino Notes: svn path=/head/; revision=378897
* Correct various packaging issues:Cy Schubert2015-02-051-8/+8
| | | | | | | | | | | | - Libraries are not installed stripped; - pkgconfig files should be installed to libdata; - Use of deprecated @dirrm[try] PR: PR/197338 Submitted by: delphij Notes: svn path=/head/; revision=378441
* Address: krb5 -- Vulnerabilities in kadmind, libgssrpc,Cy Schubert2015-02-041-0/+8
| | | | | | | | | | | | | | | | | | | gss_process_context_token VU#540092 CVE-2014-5352: gss_process_context_token() incorrectly frees context CVE-2014-9421: kadmind doubly frees partial deserialization results CVE-2014-9422: kadmind incorrectly validates server principal name CVE-2014-9423: libgssrpc server applications leak uninitialized bytes Security: VUXML: 24ce5597-acab-11e4-a847-206a8a720317 Security: MIT KRB5: VU#540092 Security: CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423 Notes: svn path=/head/; revision=378417
* - Remove support for EXTRACT_PRESERVE_OWNERSHIPAntoine Brodin2014-12-141-7/+1
| | | | | | | | | | - Update a few comments related to extract Differential Revision: https://reviews.freebsd.org/D1189 With hat: portmgr Notes: svn path=/head/; revision=374698
* Fix LATEST_LINK.Cy Schubert2014-10-181-1/+0
| | | | Notes: svn path=/head/; revision=371142
* MIT Kerberos released 1.13; 1.12 becomes a maintenance release,Cy Schubert2014-10-161-2/+2
| | | | | | | | | | | | | 1.11 remains a maintenance release. - Update security/krb5 1.12.2 --> 1.13 - Copy the old security/krb5 1.12.2 to security/krb5-112 (now a maintenance release supported by MIT) - Move the old krb5-maint (1.11.5: old maintenance release) to security/krb5-111 (the old maintenance release still supported by MIT) Notes: svn path=/head/; revision=371019
* Update 1.12.1 --> 1.12.2.Cy Schubert2014-08-131-5/+9
| | | | | | | Add readline non-default option. Notes: svn path=/head/; revision=364798
* net/openldap24-*:Tijl Coosemans2014-07-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Convert to USES=libtool and bump dependent ports - Avoid USE_AUTOTOOLS - Don't use PTHREAD_LIBS - Use MAKE_CMD databases/glom: - Drop :keepla - Add INSTALL_TARGET=install-strip databases/libgda4* databases/libgda5*: - Convert to USES=libtool and bump dependent ports - USES=tar:xz - Use INSTALL_TARGET=install-strip - Use @sample databases/libgdamm: - Drop :keepla - USES=tar:bzip2 - Use INSTALL_TARGET=install-strip databases/libgdamm5: - Add INSTALL_TARGET=install-strip - Drop --enable-static (inherited from old repocopy) devel/anjuta x11-toolkits/py-gnome-extras: - Drop :keepla dns/powerdns dns/powerdns-devel: - Convert to USES=libtool - Add INSTALL_TARGET=install-strip - Disable static modules - Stop creating library symlinks with .0 suffix, not needed for dynamically opened modules mail/dovecot2: - Add USES=libtool mail/dovecot2-pigeonhole: - Drop CONFIGURE_TARGET (incorrect for Dragonfly) - Add USES=libtool and INSTALL_TARGET=install-strip math/gnumeric: - USES=libtool tar:xz Approved by: portmgr (implicit, bump unstaged ports) Notes: svn path=/head/; revision=362835
* Fix build when KRB5_HOME != LOCALBASE.Cy Schubert2014-05-271-3/+4
| | | | | | | Submitted by: hrs Notes: svn path=/head/; revision=355569
* Finely tune KRB5_HOME test when using LIB_DEPENDS. in the case whenCy Schubert2014-04-241-0/+2
| | | | | | | KRB5_HOME is set to LOCALBASE. Notes: svn path=/head/; revision=351983
* Remove extraneious MAN assignments.Cy Schubert2014-04-231-9/+0
| | | | Notes: svn path=/head/; revision=351910
* - Add a startup script for kpropdBrad Davis2014-04-211-1/+2
| | | | | | | | | PR: 183502 Submitted by: brd@ Approved by: bdrewery@ Notes: svn path=/head/; revision=351689
* Fix new patch.Cy Schubert2014-04-191-1/+1
| | | | | | | Point hat to: self Notes: svn path=/head/; revision=351580
* KRB5_HOME no longer works with LIB_DEPENDS. Mark broken when set.Cy Schubert2014-04-181-0/+1
| | | | Notes: svn path=/head/; revision=351512
* 1. Fix build when using clang 3.4.Cy Schubert2014-04-171-7/+7
| | | | | | | | | | | 2. RTM_OLDADD and RTM_OLDDEL were removed from -stable. Thanks alfred@ for this patch. 3. Stagify. Submitted by: alfred (#2) Notes: svn path=/head/; revision=351495
* Update 1.12 --> 1.12.1Cy Schubert2014-01-161-1/+1
| | | | Notes: svn path=/head/; revision=339911
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-23 06:56:19 +0000