diff options
Diffstat (limited to 'doc/html/mitK5features.html')
| -rw-r--r-- | doc/html/mitK5features.html | 82 |
1 files changed, 77 insertions, 5 deletions
diff --git a/doc/html/mitK5features.html b/doc/html/mitK5features.html index 7fa633c6c643..5fd257df2576 100644 --- a/doc/html/mitK5features.html +++ b/doc/html/mitK5features.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: './', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -73,8 +73,8 @@ <dl class="docutils"> <dt>Releases:</dt> <dd><ul class="first last simple"> -<li>Latest stable: <a class="reference external" href="http://web.mit.edu/kerberos/krb5-1.15/">http://web.mit.edu/kerberos/krb5-1.15/</a></li> -<li>Supported: <a class="reference external" href="http://web.mit.edu/kerberos/krb5-1.14/">http://web.mit.edu/kerberos/krb5-1.14/</a></li> +<li>Latest stable: <a class="reference external" href="http://web.mit.edu/kerberos/krb5-1.16/">http://web.mit.edu/kerberos/krb5-1.16/</a></li> +<li>Supported: <a class="reference external" href="http://web.mit.edu/kerberos/krb5-1.15/">http://web.mit.edu/kerberos/krb5-1.15/</a></li> <li>Release cycle: 9 – 12 months</li> </ul> </dd> @@ -219,7 +219,7 @@ old keys. <a class="reference external" href="http://cve.mitre.org/cgi-bin/cvena <li>Add client support for the Kerberos Cache Manager protocol. If the host is running a Heimdal kcm daemon, caches served by the daemon can be accessed with the KCM: cache type.</li> -<li>When built on OS X 10.7 and higher, use “KCM:” as the default +<li>When built on macOS 10.7 and higher, use “KCM:” as the default cachetype, unless overridden by command-line options or krb5-config values.</li> <li>Add support for doing unlocked database dumps for the DB2 KDC @@ -363,6 +363,78 @@ conform to Suite B crypto requirements.</li> </ul> </li> </ul> +<p>Release 1.16</p> +<ul class="simple"> +<li>Administrator experience:<ul> +<li>The KDC can match PKINIT client certificates against the +“pkinit_cert_match” string attribute on the client principal +entry, using the same syntax as the existing “pkinit_cert_match” +profile option.</li> +<li>The ktutil addent command supports the “-k 0” option to ignore the +key version, and the “-s” option to use a non-default salt string.</li> +<li>kpropd supports a –pid-file option to write a pid file at +startup, when it is run in standalone mode.</li> +<li>The “encrypted_challenge_indicator” realm option can be used to +attach an authentication indicator to tickets obtained using FAST +encrypted challenge pre-authentication.</li> +<li>Localization support can be disabled at build time with the +–disable-nls configure option.</li> +</ul> +</li> +<li>Developer experience:<ul> +<li>The kdcpolicy pluggable interface allows modules control whether +tickets are issued by the KDC.</li> +<li>The kadm5_auth pluggable interface allows modules to control +whether kadmind grants access to a kadmin request.</li> +<li>The certauth pluggable interface allows modules to control which +PKINIT client certificates can authenticate to which client +principals.</li> +<li>KDB modules can use the client and KDC interface IP addresses to +determine whether to allow an AS request.</li> +<li>GSS applications can query the bit strength of a krb5 GSS context +using the GSS_C_SEC_CONTEXT_SASL_SSF OID with +gss_inquire_sec_context_by_oid().</li> +<li>GSS applications can query the impersonator name of a krb5 GSS +credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with +gss_inquire_cred_by_oid().</li> +<li>kdcpreauth modules can query the KDC for the canonicalized +requested client principal name, or match a principal name against +the requested client principal name with canonicalization.</li> +</ul> +</li> +<li>Protocol evolution:<ul> +<li>The client library will continue to try pre-authentication +mechanisms after most failure conditions.</li> +<li>The KDC will issue trivially renewable tickets (where the +renewable lifetime is equal to or less than the ticket lifetime) +if requested by the client, to be friendlier to scripts.</li> +<li>The client library will use a random nonce for TGS requests +instead of the current system time.</li> +<li>For the RC4 string-to-key or PAC operations, UTF-16 is supported +(previously only UCS-2 was supported).</li> +<li>When matching PKINIT client certificates, UPN SANs will be matched +correctly as UPNs, with canonicalization.</li> +</ul> +</li> +<li>User experience:<ul> +<li>Dates after the year 2038 are accepted (provided that the platform +time facilities support them), through the year 2106.</li> +<li>Automatic credential cache selection based on the client realm +will take into account the fallback realm and the service +hostname.</li> +<li>Referral and alternate cross-realm TGTs will not be cached, +avoiding some scenarios where they can be added to the credential +cache multiple times.</li> +<li>A German translation has been added.</li> +</ul> +</li> +<li>Code quality:<ul> +<li>The build is warning-clean under clang with the configured warning +options.</li> +<li>The automated test suite runs cleanly under AddressSanitizer.</li> +</ul> +</li> +</ul> <p><cite>Pre-authentication mechanisms</cite></p> <ul class="simple"> <li>PW-SALT <span class="target" id="index-11"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4120.html#section-5.2.7.3"><strong>RFC 4120</strong></a></li> @@ -435,7 +507,7 @@ conform to Suite B crypto requirements.</li> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> |