From 6603c22686c96cee259b82657b7e5597f021f1d5 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Sat, 31 Jan 2009 04:00:10 +0000 Subject: [PATCH] README and patchlevel.h for 1.7 release branch git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21852 dc483132-0cff-0310-8789-dd5450dbe970 --- README | 29 ++++++++++++++++++++++++++++- src/patchlevel.h | 2 +- 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/README b/README index a945960f6..5b1c82a9a 100644 --- a/README +++ b/README @@ -59,12 +59,34 @@ http://krbdev.mit.edu/rt/ and logging in as "guest" with password "guest". +DES transition +-------------- + +The Data Encryption Standard (DES) is widely recognized as weak. The +krb5-1.7 release will contain measures to encourage sites to migrate +away from using single-DES cryptosystems. Among these is a +configuration variable that enables "weak" enctypes, but will default +to "false" in the future. Depending on the outcome of ongoing +discussion on krbdev@mit.edu, this default could change prior to the +final release of krb5-1.7. + +Additional measures to ease the transition away from DES are planned +for the final krb5-1.7 release. + Major changes in 1.7 -------------------- * Remove support for version 4 of the Kerberos protocol (krb4). -* Client library now follows client principal referrals. +* New libdefaults configuration variable "allow_weak_crypto". NOTE: + Currently defaults to "false", but may default to "true" in a future + release. Setting this variable to "false" will have the effect of + removing weak enctypes (currently defined to be all single-DES + enctypes) from permitted_enctypes, default_tkt_enctypes, and + default_tgs_enctypes. + +* Client library now follows client principal referrals, for + compatibility with Windows. * KDC can issue realm referrals for service principals based on domain names. @@ -80,6 +102,11 @@ Major changes in 1.7 * DCE RPC, including three-leg GSS context setup and unencapsulated GSS tokens. +* NTLM recognition support in GSS-API, to facilitate dropping in an + NTLM implementation. + +* KDC support for principal aliases, if the back end supports them. + * Microsoft set/change password (RFC 3244) protocol in kadmind. * Master key rollover support. diff --git a/src/patchlevel.h b/src/patchlevel.h index 288422287..5e8acf651 100644 --- a/src/patchlevel.h +++ b/src/patchlevel.h @@ -55,4 +55,4 @@ #define KRB5_PATCHLEVEL 0 #define KRB5_RELTAIL "prerelease" /* #undef KRB5_RELDATE */ -#define KRB5_RELTAG "trunk" +#define KRB5_RELTAG "branches/krb5-1-7" -- 2.26.2