Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

C is quirky, flawed, and an enormous success -- Dennis M. Ritchie

devel / comp.protocols.kerberos / Re: krb5-1.20 is released

SubjectAuthor
* krb5-1.20 is releasedGreg Hudson
`- Re: krb5-1.20 is releasedTodd Heron

1
krb5-1.20 is released

<mailman.71.1653604683.8148.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=269&group=comp.protocols.kerberos#269

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!feed1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ghud...@mit.edu (Greg Hudson)
Newsgroups: comp.protocols.kerberos
Subject: krb5-1.20 is released
Date: Thu, 26 May 2022 18:35:46 -0400
Organization: TNet Consulting
Lines: 119
Sender: kerberos-announce <kerberos-announce-bounces@mit.edu>
Message-ID: <mailman.71.1653604683.8148.kerberos@mit.edu>
References: <x7dh75brkfx.fsf@mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="3712"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: kerberos-announce@mit.edu
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing;
t=1653604682; bh=CAZzdLztDcaBK5APUaPGa42fZLpJ9zsKR4Haz08OcRg=;
h=From:To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:
List-Post:List-Help:List-Subscribe;
b=oab/cpWfSV12Vh2ttAIvmVgWxohE42dkzTt9MeHo0mcxAprNo3tLk7jzFaaN6YB43
6ucDl+raRnHP1uuzbb3dTqkLGaEiGpiR4quJ/FoVhHUJcabnm/cjWEgWjh+pCGJClt
GYXi8b0XUAn+Rpfxas8x8oZ+k7xIq5cmPosoUrAaGFpXWeoaS2/IseFrron0BikxzG
afy9ZstLDvycTNtK7zWCWwarPd2v/Xaws3BjI6gYMQ1u0k4I3xKMP+NnXeOsAFTBjd
WyX8tAlSaarS36NtsySasytKI18JIZSpnx0hpOxruv22ei0gJGGTIfe8ro1YZK8Xs0
M2po8gyBe7rCQ==
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=fail;
b=M2OZLLdiznWd9F4zL8vPZ4i4Q0QGecKARQbpkajt3CcLu3yMnNF0YKCnchkXQrOzTmWhIntJ8/B9uUi+wFI3Og7QoRUmkLKg7RMliq9zwz8nnwXCgZ5Q0t+QFrMSFJrd5QrfDjKv/Ifrx4Ot731O4oiwAjYAgqZkvXpcWi0mz5smMFrergdtnRaGxaDhRWpFPOfH0k56mwex2jkM6nuN3sKnjxNnkkLlflm/Dn+iFKZt9mvab0JzWi05onMHHOheWk2Yhg7p4pdXwn/64QEW4ckSZDjqA6B7ylvIVn3b+kIKB/T2TL/5UAstPhZI56MxDfe9mZJtBvhklqZfAIiDFw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=CAZzdLztDcaBK5APUaPGa42fZLpJ9zsKR4Haz08OcRg=;
b=AP8t22asMIOPIcRN77H2ebHRT2pJbaVSJ5rUGP5lqJ4YScy8iWVLVOAfXJTgncI61QmrEMy5VoJvLiq+gl5upBcNz6H9ZepJKC2dYkACzC8leKEOgPduP8/79QuobpaMrcET0ZQ2ZTML8MKCg7hS4wbAU4BfCw7lnoApLELswKIGOazB7YXAt1w1xPojmwWb1duF4sKn7fls4wyT35HRTAPK+CI3KGZfGhAeYf/dd9oWQj0kM2Kr/UbZEAFJ2LWgZOwy/bKEo0JMTdL9YcZg7lVa/kA7aTEtn+X52yJsWCUP14HWayzYb3JOnPmmMB98HAxmMW9rvUswwXoU4Ztc5Q==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is
18.7.21.50) smtp.rcpttodomain=mit.edu smtp.mailfrom=mit.edu; dmarc=pass
(p=none sp=none pct=100) action=none header.from=mit.edu; dkim=fail (body
hash did not verify) header.d=mit.edu; dkim=fail (body hash did not verify)
header.d=mit.edu; arc=fail (47)
Authentication-Results: spf=pass (sender IP is 18.7.21.50)
smtp.mailfrom=mit.edu; dkim=fail (body hash did not verify)
header.d=mit.edu;dmarc=pass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates
18.7.21.50 as permitted sender) receiver=protection.outlook.com;
client-ip=18.7.21.50; helo=mailman.mit.edu; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing;
t=1653604574; bh=nxu3BJMB6zY9Z4f7ZnYdJTl3t+PyKJOZWPSDXP1/gpI=;
h=From:To:Subject:Date;
b=Gdbtm1on56gGKLmS8A58RmYSrfyEOVpr/OyeXKb6NYJdxBoP6S2LSVRq7x7gTp5dJ
qJaGoPGsb1fy+MJeH3WMXOBqV9Kngjw4b+p7fiPfDsNa508RTMnDL1rO29+pF7RBKX
HNrAjqPlQ/fGDRjov3Km0HbbwM9C0xK25CtIQW8n67fl5GoSiOWiY29DpvsebymERd
CfMCFMEagAIoOTeAkeXccGlpQZX5j+KE9U7nk9IiyIE+CwqZCIyGxp9Zf1u/8E/QeT
QXSQNFsyIDjwKD+ufiLqsv4KYN4cXa4MPnR5wcEKFF6lC10L9RhaTasuVVJk/DxY/L
Lv8DWnQjl9hFg==
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=GjbYBMhPUAc4DNqetquVnrgj59uutWOYrS/Hu32olVkkgx7d+I1htfA3kyP0/J/ivxXlnpMjHiGZmYIk4rPGq0YMjYIC18xqyNmOwfjMBVw+WXhpx2ffgIh7m5GZCaZtrp65mObyMWJgpIMGCgRTdlYXILWCZ5EJHax8W7Tth/S5h1U2H8sOMqw6ZzWgW2+fSeimxArvTkj+s0x9ioCOH8R9BAY/3NfAgKNcdVGQESm2R2Q38wybg21jBahKB+g1TBevBhBuawOh4tXnKPrCpoQ1Owo4E8OhkThzlmkDtrCDk0j7RoiFVbJhWr8BIqXw/5LaNMqQmXrkODiW6IOSzQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=nxu3BJMB6zY9Z4f7ZnYdJTl3t+PyKJOZWPSDXP1/gpI=;
b=h+0w48nsxOfxejP0kI99uYNKbJYAXOvSWBJKxGrM8H2lbWgbIVzUYD6jSCBd++GOCVNRYC/8asVSsPinXosP8FpYQSce/0/JPQzAVLbEDHZfh1V9fPPyMr/XsVJTa/ZEuQrv7i1AMcS9TxnoMIRJpeXpa8nqAPpA1Jc2RevEV2ci3QyvwFfxCHC2mv6e5wQn02HMTlnBCwYJzOYL9oH+jxfhiO2W3VMz3v5qLfv3FypyPui4kaWJC9F6H6S4FoJJauvcEVF71xTIroyaibA1mQMVaaWbcHJpRa4IJcrfNGrgUsCq6/f3KyfaDxLv6v74Zx67aWsRpZW/CtI/dh8iRg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
18.9.28.11) smtp.rcpttodomain=mit.edu smtp.mailfrom=mit.edu; dmarc=pass
(p=none sp=none pct=100) action=none header.from=mit.edu; dkim=pass
(signature was verified) header.d=mit.edu; arc=none (0)
Authentication-Results-Original: spf=pass (sender IP is 18.9.28.11)
smtp.mailfrom=mit.edu; dkim=pass (signature was verified)
header.d=mit.edu;dmarc=pass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates
18.9.28.11 as permitted sender) receiver=protection.outlook.com;
client-ip=18.9.28.11; helo=outgoing.mit.edu; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing;
t=1653604547; bh=nxu3BJMB6zY9Z4f7ZnYdJTl3t+PyKJOZWPSDXP1/gpI=;
h=From:To:Subject:Date;
b=A8RCprPn0Ti5CKP11eM/90VqgeZNTdUrB7ijtN2lxawiOzQ9zhnG478nt0Ilr9wXy
48OnOirs3A+Q1ZWcMcNLHIfVBZqjHIp8uhEbH9eZ8/tuDVjx1ItffrClpGkXjR5qCi
IxHLtrFO8RJytkSm7jFbV9j98yq4e/Dxe6GHHFY6Fk3vt2OFS8P3k84xZptDGgmswC
aZbF2P/Zcz+Ak4nuvimBlEc5qSCt0KJtQRd4G9xpmnnMfwn81aE280ZwSfnq8UXzlf
BXnrdZtihuXNyIKy+j8waOffpqAsAvvKk1X3p3m9I0GNeZQ+6/6Vx3RXfMDADBivPb
FF7MOqRc8/0Bg==
X-EOPAttributedMessage: 1
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:1
X-MS-Office365-Filtering-Correlation-Id: f70d9f47-d51a-41f5-0918-08da3f6856a9
X-MS-TrafficTypeDiagnostic: CO2PR01MB2008:EE_|CO1NAM11FT019:EE_|SN6PR01MB3885:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <SN6PR01MB38854E048F371B69DC87AC67B5D99@SN6PR01MB3885.prod.exchangelabs.com>
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: b7MiUMSca1U8Iy3lsqf+iBEkd8gipsbhICuv5jkoTHBvsSUsbWbXY7DjpKrUFL5bjlDnhTym6CY/lM69CT4c0iexN8jZu2dqeM+uwUeM8kKuu1NJANUVKFDP98WazNMnrEaaxbbt7nifQtmWNBuXFCnUeKtOXyHes2LjKusp4xOgMLDWEQ4yLOo2u1DW1ZFPj7yWD5xDuPOT1b4FdVuIv4CF1Fde1XFDAgSQzzXy/SLI+4Nc6L0pMPu2NOfyMgtVFDwqnZJiXkPFJ3OUaU+sQviS3QWSveOdTX7v/Mxow8HPzUpD6hhQ8mW1WaFr0L0Ho9THsaGyz7ZHhxnYfdFjqB+w/gTkInEKCPzZpy76vpDndL8qrB620W21TW5qnLdl0ndW7SUmC9wn/UrohggUh886FiJz25Cqd7xOJvwPkdCJp+eRlPPgDfQFD2PxlDjrhi267mnGocY92bXy+UE0q6N+fXkeck9++s7zLMKjN1HLPWz4+aEJHBghAXkHk2nDv99bM9DnDmlMmPA656FnMITJrv6fOwoKbczyFH3yxmDl1fYaQdgxPXXtd2zuagZIZyVRSopsqd1q/QZPzYc9WgcamrkIXRC3xZcjFjSI5YXSSCHARvHTtlxtwQOCTKQ++giv2I5Bwl79w16VyLMlB4zPzfIqI9q/fy/WTAR7iRzHIHfzMSku0N1yMAmShyUxeZ5LESfjmjL0Qytth6A1L/zU0RG1cvSWorzmhBlSIysDhA3DPUicI2VoBMpVAEm6
X-Forefront-Antispam-Report-Untrusted: CIP:18.9.28.11; CTRY:US; LANG:en;
SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:outgoing.mit.edu;
PTR:outgoing-auth-1.mit.edu; CAT:NONE;
SFS:(13230001)(4636009)(26005)(86362001)(966005)(7696005)(75432002)(508600001)(83380400001)(426003)(356005)(2906002)(5660300002)(336012)(37006003)(6636002)(36756003)(68406010)(70586007)(786003)(34206002)(316002)(956004)(2616005)(8676002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO2PR01MB2008
X-Mailman-Approved-At: Thu, 26 May 2022 18:36:26 -0400
X-BeenThere: kerberos-announce@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
Errors-To: kerberos-announce-bounces@mit.edu
X-MS-Exchange-Transport-CrossTenantHeadersStripped: CO1NAM11FT019.eop-nam11.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: b6ac2db4-f2b0-438d-dff3-08da3f6814bc
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: fnRDZYXJHnymegqgkrQQktX07C/1RiXmqV1Hc7lh64woKtckeymLLnqG6BL0n0jcngnbrDkNdD1rgAOOTI6D69TKjpIS0cKSXir5h2F8xwlQFYjIWISZSsHPRCp/zp/xpbA/K7kzyNqBAq6t2eHaJ/lGWicUzva7+1Obm/v4KiKqxBKamzNV+X1jHEygj9jGmao6eFlGgNsRKkU42P8RMOte3oWKN0Om2A82aAPKL8YQXs5q6nrfNAscpSkRQZvUo3nEga/PrjT7fdSCwUr70wjFn7fBfWDp9H+E7HOgdH8TRAha3sfx9ifOoZqvljEq8HXgVCtZmJ5jZs96oLxokz789ZLUus4wHHOCY3rtuKLK+e/4tDDcqtoWuW2tdnq8hpuICR5jMsczLRG5jUsvGP9MvmBq0zB2XqTahUfYWgzjRJek/Ziainiwo2QBf5n1bPOcIzyqh2PKtyoWAzIpZrSAe0CVD9v3sSPWFtIMAnn6r2p1V57o0Z3LTS7Mxi1nP9C0qAnSYnu//5XCmrEJp7DDi9Wdduvu4AgC/vs3r1RCQq45/dndqcuJxNruRsGvdNkkB/3FbPIL8zz+LlRqPMlzkYVsZb+577asfNsjedHcO4kePFGEk10i+c4u56CnycjW6H27jvNr4x2ckfHd/yiOHGNU6k8MECnqB5zMwbXMeCTFUdWUGkv2CP6e7lXeHZCdU1sB0Qcw9vpYm0ZzYCzODJ6EB3GwrX2jw+FxNtTxmrb57Bc4LseIdT79mnfl
X-Forefront-Antispam-Report: CIP:18.7.21.50; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:CAL; SFV:NSPM; H:mailman.mit.edu; PTR:mailman.mit.edu; CAT:NONE;
SFS:(13230001)(4636009)(2616005)(19810500001)(786003)(316002)(37006003)(6636002)(75432002)(956004)(450100002)(16670700002)(34206002)(26005)(8676002)(68406010)(70586007)(7596003)(7696005)(336012)(7846003)(508600001)(36756003)(2906002)(966005)(83380400001)(9036002)(426003)(5660300002);
DIR:OUT; SFP:1102;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 May 2022 22:37:38.5663 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f70d9f47-d51a-41f5-0918-08da3f6856a9
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT019.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR01MB3885
X-OriginatorOrg: mit.edu
X-BeenThere: kerberos@mit.edu
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <x7dh75brkfx.fsf@mit.edu>
 by: Greg Hudson - Thu, 26 May 2022 22:35 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.20. Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.

RETRIEVING KERBEROS 5 RELEASE 1.20
==================================

You may retrieve the Kerberos 5 Release 1.20 source from the
following URL:

https://kerberos.org/dist/

The homepage for the krb5-1.20 release is:

https://web.mit.edu/kerberos/krb5-1.20/

Further information about Kerberos 5 may be found at the following
URL:

https://web.mit.edu/kerberos/

and at the MIT Kerberos Consortium web site:

https://www.kerberos.org/

PAC transition
==============

Beginning with release 1.20, the KDC will include minimal PACs in
tickets instead of AD-SIGNEDPATH authdata. S4U requests (protocol
transition and constrained delegation) must now contain valid PACs in
the incoming tickets. If only some KDCs in a realm have been upgraded
across version 1.20, the upgraded KDCs will reject S4U requests
containing tickets from non-upgraded KDCs and vice versa.

Triple-DES transition
=====================

Beginning with the krb5-1.19 release, a warning will be issued if
initial credentials are acquired using the des3-cbc-sha1 encryption
type. In future releases, this encryption type will be disabled by
default and eventually removed.

Beginning with the krb5-1.18 release, single-DES encryption types have
been removed.

Major changes in 1.20 (2022-05-26)
==================================

Administrator experience:

* Added a "disable_pac" realm relation to suppress adding PAC authdata
to tickets, for realms which do not need to support S4U requests.

* Most credential cache types will use atomic replacement when a cache
is reinitialized using kinit or refreshed from the client keytab.

* kprop can now propagate databases with a dump size larger than 4GB,
if both the client and server are upgraded.

* kprop can now work over NATs that change the destination IP address,
if the client is upgraded.

Developer experience:

* Updated the KDB interface. The sign_authdata() method is replaced
with the issue_pac() method, allowing KDB modules to add logon info
and other buffers to the PAC issued by the KDC.

* Host-based initiator names are better supported in the GSS krb5
mechanism.

Protocol evolution:

* Replaced AD-SIGNEDPATH authdata with minimal PACs.

* To avoid spurious replay errors, password change requests will not
be attempted over UDP until the attempt over TCP fails.

* PKINIT will sign its CMS messages with SHA-256 instead of SHA-1.

Code quality:

* Updated all code using OpenSSL to be compatible with OpenSSL 3.

* Reorganized the libk5crypto build system to allow the OpenSSL
back-end to pull in material from the builtin back-end depending on
the OpenSSL version.

* Simplified the PRNG logic to always use the platform PRNG.

* Converted the remaining Tcl tests to Python.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmKQAGgACgkQDLoIV1+D
ct9NnBAAxbuqwI/OQrXdCnMZyMMD3Oc4ODvx+5Zmt93owaZ4RSx6WwS8FNIlcFjX
C47JbF79uwh817GMGJUCdnH7pI+hxzBmxxs1F0j+7nLWF+vDs9mPHxMkWOiY9ZNu
8ADE3XRyHSgGOOb0zbndPS3RsbYnsHMQfbtNIbxNIJfyTF32wmPrsuGlhhEKEzu2
7m8V8DBfL5PwMLefsl8Mu45xqD8II7eg5HjIe7kmEbGseDS2C5XOrj4ieWm++0Pc
dfl1eHKyuCWkUaJyBBjIGRe+WL8D/OKRkXrtIgMcX7AwFdnRrMDqDduoD9vNQvGE
4PNcORkCdw4R7UWv2qXOvoxHKz/Bv6ctkd94FRsGoJrFeOIf+0L53y2Zf+s+ntVC
p70glQhcAZr/wdKPm2V1QmuIib+y7bZRBcIcbmEZcjexQaIzUHFdwMzm3Y8MAGJu
h8GZ7tktGAQWdgUKRFP2ZlDnUEl6a7GgmoOyUcgo2RxDgiunBcdgLVNeVkkEZCPv
xKdntPgcgrObb6J73JfHZLWBZ6bMpaEm9MziEP50ZvITlD2Q+CxyCJo9fbgqvhXf
z6JaNiVWR0blHGpQA8eeUW6bToEjndYPumxbGyRRfTIpcaAZYyeY9MFBiDJmDM98
U4oPRd15Ws1swsuc+EsJKUo+OiCLj7saF87WSE2Kke+SOfo8evA=
=aPCW
-----END PGP SIGNATURE-----
_______________________________________________
kerberos-announce mailing list
kerberos-announce@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos-announce

Re: krb5-1.20 is released

<a0575396-936d-4562-8a24-f7a560810090n@googlegroups.com>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=271&group=comp.protocols.kerberos#271

  copy link   Newsgroups: comp.protocols.kerberos
X-Received: by 2002:a05:620a:d87:b0:67b:311c:ecbd with SMTP id q7-20020a05620a0d8700b0067b311cecbdmr34145584qkl.146.1653820930427;
Sun, 29 May 2022 03:42:10 -0700 (PDT)
X-Received: by 2002:a9d:811:0:b0:60a:b6f2:ab85 with SMTP id
17-20020a9d0811000000b0060ab6f2ab85mr15287916oty.9.1653820930109; Sun, 29 May
2022 03:42:10 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!proxad.net!feeder1-2.proxad.net!209.85.160.216.MISMATCH!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.protocols.kerberos
Date: Sun, 29 May 2022 03:42:09 -0700 (PDT)
In-Reply-To: <mailman.71.1653604683.8148.kerberos@mit.edu>
Injection-Info: google-groups.googlegroups.com; posting-host=108.44.231.211; posting-account=x_5fPwoAAAC5bAU5tjeqVfhlbG9E6nU3
NNTP-Posting-Host: 108.44.231.211
References: <x7dh75brkfx.fsf@mit.edu> <mailman.71.1653604683.8148.kerberos@mit.edu>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <a0575396-936d-4562-8a24-f7a560810090n@googlegroups.com>
Subject: Re: krb5-1.20 is released
From: todd.he...@gmail.com (Todd Heron)
Injection-Date: Sun, 29 May 2022 10:42:10 +0000
Content-Type: text/plain; charset="UTF-8"
 by: Todd Heron - Sun, 29 May 2022 10:42 UTC

Will this release bake into the Microsoft Windows Active Directory version of Kerberos, which uses Kerberos v5?

On Thursday, May 26, 2022 at 6:38:06 PM UTC-4, Greg Hudson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> The MIT Kerberos Team announces the availability of MIT Kerberos 5
> Release 1.20. Please see below for a list of some major changes
> included, or consult the README file in the source tree for a more
> detailed list of significant changes.
>
> RETRIEVING KERBEROS 5 RELEASE 1.20
> ==================================
>
> You may retrieve the Kerberos 5 Release 1.20 source from the
> following URL:
>
> https://kerberos.org/dist/
>
> The homepage for the krb5-1.20 release is:
>
> https://web.mit.edu/kerberos/krb5-1.20/" rel="nofollow" target="_blank">https://web.mit.edu/kerberos/krb5-1.20/
>
> Further information about Kerberos 5 may be found at the following
> URL:
>
> https://web.mit.edu/kerberos/
>
> and at the MIT Kerberos Consortium web site:
>
> https://www.kerberos.org/
>
>
> PAC transition
> ==============
>
> Beginning with release 1.20, the KDC will include minimal PACs in
> tickets instead of AD-SIGNEDPATH authdata. S4U requests (protocol
> transition and constrained delegation) must now contain valid PACs in
> the incoming tickets. If only some KDCs in a realm have been upgraded
> across version 1.20, the upgraded KDCs will reject S4U requests
> containing tickets from non-upgraded KDCs and vice versa.
>
>
> Triple-DES transition
> =====================
>
> Beginning with the krb5-1.19 release, a warning will be issued if
> initial credentials are acquired using the des3-cbc-sha1 encryption
> type. In future releases, this encryption type will be disabled by
> default and eventually removed.
>
> Beginning with the krb5-1.18 release, single-DES encryption types have
> been removed.
>
>
> Major changes in 1.20 (2022-05-26)
> ==================================
>
> Administrator experience:
>
> * Added a "disable_pac" realm relation to suppress adding PAC authdata
> to tickets, for realms which do not need to support S4U requests.
>
> * Most credential cache types will use atomic replacement when a cache
> is reinitialized using kinit or refreshed from the client keytab.
>
> * kprop can now propagate databases with a dump size larger than 4GB,
> if both the client and server are upgraded.
>
> * kprop can now work over NATs that change the destination IP address,
> if the client is upgraded.
>
> Developer experience:
>
> * Updated the KDB interface. The sign_authdata() method is replaced
> with the issue_pac() method, allowing KDB modules to add logon info
> and other buffers to the PAC issued by the KDC.
>
> * Host-based initiator names are better supported in the GSS krb5
> mechanism.
>
> Protocol evolution:
>
> * Replaced AD-SIGNEDPATH authdata with minimal PACs.
>
> * To avoid spurious replay errors, password change requests will not
> be attempted over UDP until the attempt over TCP fails.
>
> * PKINIT will sign its CMS messages with SHA-256 instead of SHA-1.
>
> Code quality:
>
> * Updated all code using OpenSSL to be compatible with OpenSSL 3.
>
> * Reorganized the libk5crypto build system to allow the OpenSSL
> back-end to pull in material from the builtin back-end depending on
> the OpenSSL version.
>
> * Simplified the PRNG logic to always use the platform PRNG.
>
> * Converted the remaining Tcl tests to Python.
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmKQAGgACgkQDLoIV1+D
> ct9NnBAAxbuqwI/OQrXdCnMZyMMD3Oc4ODvx+5Zmt93owaZ4RSx6WwS8FNIlcFjX
> C47JbF79uwh817GMGJUCdnH7pI+hxzBmxxs1F0j+7nLWF+vDs9mPHxMkWOiY9ZNu
> 8ADE3XRyHSgGOOb0zbndPS3RsbYnsHMQfbtNIbxNIJfyTF32wmPrsuGlhhEKEzu2
> 7m8V8DBfL5PwMLefsl8Mu45xqD8II7eg5HjIe7kmEbGseDS2C5XOrj4ieWm++0Pc
> dfl1eHKyuCWkUaJyBBjIGRe+WL8D/OKRkXrtIgMcX7AwFdnRrMDqDduoD9vNQvGE
> 4PNcORkCdw4R7UWv2qXOvoxHKz/Bv6ctkd94FRsGoJrFeOIf+0L53y2Zf+s+ntVC
> p70glQhcAZr/wdKPm2V1QmuIib+y7bZRBcIcbmEZcjexQaIzUHFdwMzm3Y8MAGJu
> h8GZ7tktGAQWdgUKRFP2ZlDnUEl6a7GgmoOyUcgo2RxDgiunBcdgLVNeVkkEZCPv
> xKdntPgcgrObb6J73JfHZLWBZ6bMpaEm9MziEP50ZvITlD2Q+CxyCJo9fbgqvhXf
> z6JaNiVWR0blHGpQA8eeUW6bToEjndYPumxbGyRRfTIpcaAZYyeY9MFBiDJmDM98
> U4oPRd15Ws1swsuc+EsJKUo+OiCLj7saF87WSE2Kke+SOfo8evA=
> =aPCW
> -----END PGP SIGNATURE-----
> _______________________________________________
> kerberos-announce mailing list
> kerberos...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos-announce

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor