krb5-1.7 release will contain measures to encourage sites to migrate
away from using single-DES cryptosystems. Among these is a
configuration variable that enables "weak" enctypes, but will default
-to "false" in the future.
+to "false" in the future. Additional migration aids are planned for
+future releases.
Major changes in 1.7
--------------------
NTLM implementation.
* KDC support for principal aliases, if the back end supports them.
+ Currently, only the LDAP back end supports aliases.
* Microsoft set/change password (RFC 3244) protocol in kadmind.
* Flexible Authentication Secure Tunneling (FAST), a preauthentiation
framework that can protect the AS exchange from dictionary attack.
-* Implement client support for GSS_C_DELEG_POLICY_FLAG, which allows a
- GSS application to delegate credentials only if permitted by KDC
- policy. One minor known bug, which will probably be fixed by final
- release, occurs when this functionality is used with cross-realm
- authentication; see RT ticket #6473.
+* Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which
+ allows a GSS application to request credential delegation only if
+ permitted by KDC policy.
* Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 --
various vulnerabilities in SPNEGO and ASN.1 code.
Known bugs by ticket ID
-----------------------
-6473 strip ok-as-delegate if not in cross-realm TGT chain
+6481 kdb ldap integration removed rev/recurse kdb5_util dumps
+6486 t_pac fails on SPARC Solaris
+6487 gss_unwrap_iov fails in stream mode
Changes by ticket ID
--------------------
5575 don't include time.h in CredentialsCache.h if it's not needed
5578 test commit handler
5580 provide asprintf functionality for internal use
+5587 PRF for non-AES enctypes
5589 krb5 trunk no longer builds on Windows - vsnprintf
implementation required
5590 gss krb5 mech enhanced error messages
5593 kadmind crash on Debian AMD64
5594 Work on compiling CCAPI test suite on Windows
5595 Problems with kpasswd and an IPv6 enviroment
+5596 patch for providing a way to set the ok-as-delegate flag
5598 ccs_pipe_t needs copy and release functions
5599 Added new autogenerated file to generate-files-mac target
5600 provide more useful error message when running kpropd on command line
6120 increase rpc timeout
6121 dead code in lib/rpc/clnt_udp.c
6131 Removed argument from kipc_client_lookup_server
-6133 C90 compliance
+6133 don't do C99-style mixing declarations with code
6138 Switch KfM back to error tables
6140 CCAPI should use common ipc and stream code
6142 KerberosAgent dialogs jump around the screen
6201 small leak in KDC authdata plugins
6202 kadmind leaks extended error strings
6203 DELEG_POLICY_FLAG for GSS
+6210 pa_sam leaks parts of krb5_sam_challenge
6211 pam_sam leaking outer krb5_data created by encode_krb5_sam_response
6214 krb5_change_set_password not freeing chpw_rep contents
6216 Free data in tests so leaks checking is easier
6393 Implement TGS authenticator subkey support
6397 use macros for config parameter strings
6398 remove obsolete GNU.ORG realm info
-6400 [no subject]
+6400 GSSAPI authdata extraction should merge ticket and
+ authenticator authdata
6401 send_as_req re-encodes the request
6402 CVE-2009-0845 SPNEGO can dereference a null pointer
6403 kdb5_ldap_util create segfaults when
6468 k5_utf8s_to_ucs2s could deref NULL pointer...
6469 fcc_generate_new destroys locked mutex on error
6470 Send explicit salt for SALTTYPE_NORMAL keys
+6472 typo in ksu error message
+6473 strip ok-as-delegate if not in cross-realm TGT chain
6474 move kadmin, ktutil, k5srvutil man pages to man1
+6475 Adding keys to malformed keytabs can infinitely extend the file
+6477 make installed headers C++-safe
+6478 Fix handling of RET_SEQUENCE flag in mk_priv/mk_ncred
+6479 Add DEBUG_ERROR_LOCATIONS support
+6480 Do not return PREAUTH_FAILED on unknown preauth
+6482 Allow more than 10 past keys to be stored by a policy
+6483 man1 in title header for man1 manpages
+6484 work around Heimdal not using subkey in TGS-REP
+6485 document ok_as_delegate in admin.texinfo
Copyright and Other Legal Notices
---------------------------------