Code quality:
+* Fix MITKRB5-SA-2010-007 checksum vulnerabilities (CVE-2010-1324 and others)
* Python-based testing framework
* DAL cleanup
Performance:
-* Account lockout performance improvements
+* Account lockout performance improvements -- allow disabling of some
+ account lockout functionality to reduce the number of write
+ operations to the database during authentication
Administrator experience:
-* Trace logging
-* Plugin interface for password sync
-* Plugin interface for password quality checks
+* Trace logging -- for easier diagnosis of configuration problems
+
+* Support for purging old keys (e.g. from "cpw -randkey -keepold")
+
+* Plugin interface for password sync -- based on proposed patches by
+ Russ Allbery that support his krb5-sync package
+
+* Plugin interface for password quality checks -- enables pluggable
+ password quality checks similar to Russ Allbery's krb5-strength
+ package
+
* Configuration file validator
-* KDC support for SecurID preauthentication
+
+* KDC support for SecurID preauthentication -- This is the old SAM-2
+ protocol, implemented to support existing deployments, not the
+ in-progress FAST-OTP work.
Protocol evolution:
-* IAKERB
+* IAKERB -- a mechanism for tunneling Kerberos KDC transactions over
+ GSS-API, enabling clients to authenticate to services even when the
+ clients cannot directly reach the KDC that serves the services.
+
* Camellia encryption (experimental; disabled by default)
krb5-1.9 changes by ticket ID
-----------------------------
+1219 mechanism to delete old keys should exist
2032 No advanced warning of password expiry
5014 kadmin (and other utilities) should report enctypes as it takes them
6647 Memory leak in kdc
6811 Mark Camellia-CCM code as experimental
6812 krb5_get_credentials should not fail due to inability to store
a credential in a cache
+6815 Failed kdb5_util load removes real database
+6819 Handle referral realm in kprop client principal
+6820 Read KDC profile settings in kpropd
+6822 Implement Camellia-CTS-CMAC instead of Camellia-CCM
+6823 getdate.y: declare yyparse
+6824 Export krb5_tkt_creds_get
+6825 Add missing KRB5_CALLCONV in callback declaration
+6826 Fix Windows build
+6827 SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others)
+6828 Install kadm5_hook_plugin.h
+6829 Implement restrict_anonymous_to_tgt realm flag
+6838 Regression in renewable handling
+6839 handle MS PACs that lack server checksum
+6840 typo in plugin-related error message
+6841 memory leak in changepw.c
+6842 Ensure time() is prototyped in g_accept_sec_context.c
Acknowledgements
----------------
Ákos Frohner
Marcus Granado
Scott Grizzard
+ Helmut Grohne
Steve Grubb
Philip Guenther
Dominic Hargreaves