02:42 cy 

Welcome the new KRB5 1.18 (krb5-118)

In addition, deprecate krb5-116 to retire one year after the release
of krb5-118: Feb 12, 2021.

Major changes in 1.18 (2020-02-12)
==================================

Administrator experience:

* Remove support for single-DES encryption types.

* Change the replay cache format to be more efficient and robust.
  Replay cache filenames using the new format end with ".rcache2" by
  default.

* setuid programs will automatically ignore environment variables that
  normally affect krb5 API functions, even if the caller does not use
  krb5_init_secure_context().

* Add an "enforce_ok_as_delegate" krb5.conf relation to disable
  credential forwarding during GSSAPI authentication unless the KDC
  sets the ok-as-delegate bit in the service ticket.

* Use the permitted_enctypes krb5.conf setting as the default value
  for default_tkt_enctypes and default_tgs_enctypes.

Developer experience:

* Implement krb5_cc_remove_cred() for all credential cache types.

* Add the krb5_pac_get_client_info() API to get the client account
  name from a PAC.

Protocol evolution:

* Add KDC support for S4U2Self requests where the user is identified
  by X.509 certificate.  (Requires support for certificate lookup from
  a third-party KDB module.)

* Remove support for an old ("draft 9") variant of PKINIT.

* Add support for Microsoft NegoEx.  (Requires one or more third-party
  GSS modules implementing NegoEx mechanisms.)

* Honor the transited-policy-checked ticket flag on application
  servers, eliminating the requirement to configure capaths on
  servers in some scenarios.

User experience:

* Add support for "dns_canonicalize_hostname=fallback""`, causing
  host-based principal names to be tried first without DNS
  canonicalization, and again with DNS canonicalization if the
  un-canonicalized server is not found.

* Expand single-component hostnames in host-based principal names when
  DNS canonicalization is not used, adding the system's first DNS
  search path as a suffix.  Add a "qualify_shortname" krb5.conf
  relation to override this suffix or disable expansion.

Code quality:

* The libkrb5 serialization code (used to export and import krb5 GSS
  security contexts) has been simplified and made type-safe.

* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
  messages has been revised to conform to current coding practices.

* The test suite has been modified to work with macOS System Integrity
  Protection enabled.

* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11
  support can always be tested.

 

20:55 cy 

Update 1.16.3 --> 1.16.4

 

14:04 sunpoet 

Update devel/readline to 8.0

- Bump PORTREVISION of dependent ports for shlib change

Changes:	https://tiswww.case.edu/php/chet/readline/CHANGES
PR:		236156
Exp-run by:	antoine

 

04:37 cy 

Provide a script from which to start krb5kdc through /etc/rc.d/kdc.
Simply add kdc_enable="YES" and kdc_program="/usr/local/sbin/kdc"
to /etc/rc.d. The script removes the Heimdal kdc --detach argument
prior to invoking krb5kdc.

The other approach that was considered was to replace getopt() in
kdc/main.c with getopt_long() however this approach was considered too
intrusive.

 

15:57 cy 

pkgconfig is used at build time, not runtime.

MFH:		2019Q1 (krb5-devel will need to have all its previous
		commits brought up to level in 2019Q1 first)

 

20:29 cy 

Welcome the new KRB5 1.17 (krb5-117).

Major changes in 1.17 (2019-01-08)
==================================

Administrator experience:

* A new Kerberos database module using the Lightning Memory-Mapped
  Database library (LMDB) has been added.  The LMDB KDB module should
  be more performant and more robust than the DB2 module, and may
  become the default module for new databases in a future release.

* "kdb5_util dump" will no longer dump policy entries when specific
  principal names are requested.

Developer experience:

* The new krb5_get_etype_info() API can be used to retrieve enctype,
  salt, and string-to-key parameters from the KDC for a client
  principal.

* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
  principal names to be used with GSS-API functions.

* KDC and kadmind modules which call com_err() will now write to the
  log file in a format more consistent with other log messages.

* Programs which use large numbers of memory credential caches should
  perform better.

Protocol evolution:

* The SPAKE pre-authentication mechanism is now supported.  This
  mechanism protects against password dictionary attacks without
  requiring any additional infrastructure such as certificates.  SPAKE
  is enabled by default on clients, but must be manually enabled on
  the KDC for this release.

* PKINIT freshness tokens are now supported.  Freshness tokens can
  protect against scenarios where an attacker uses temporary access to
  a smart card to generate authentication requests for the future.

* Password change operations now prefer TCP over UDP, to avoid
  spurious error messages about replays when a response packet is
  dropped.

* The KDC now supports cross-realm S4U2Self requests when used with a
  third-party KDB module such as Samba's.  The client code for
  cross-realm S4U2Self requests is also now more robust.

User experience:

* The new ktutil addent -f flag can be used to fetch salt information
  from the KDC for password-based keys.

* The new kdestroy -p option can be used to destroy a credential cache
  within a collection by client principal name.

* The Kerberos man page has been restored, and documents the
  environment variables that affect programs using the Kerberos
  library.

Changes to the FreeBSD krb5* ports include:

* CONFLICTS updated in krb5-115 and krb5-116 taking krb5-117 in
  consideration.

* The default krb5 port is now krb5-117.

* MIT's practice is to EOL KRB5 n-2. krb5-115 is deprecated and set
  to expire Jan 31, 2020.

 

20:02 cy 

Correct CONFLICTS.

MFH:		2019Q1

 

01:41 cy 

Update 1.16.2 --> 1.16.3

Major changes in 1.16.3 (2019-01-07)
====================================

This is a bug fix release.

* Fix a regression in the MEMORY credential cache type which could
  cause client programs to crash.

* MEMORY credential caches will not be listed in the global
  collection, with the exception of the default credential cache if it
  is of type MEMORY.

* Remove an incorrect assertion in the KDC which could be used to
  cause a crash [CVE-2018-20217].

MFH:		2019Q1

 

15:51 cy 

krb5-116: update 1.16.1 --> 1.16.2

 

05:57 cy 

While working the ports fallout due to making Hemidal in base
private it was discovered that com_err.3, though distributed in
the tarball, was not installed. Install it.

 

13:38 cy 

Revert r472760 and instead use upstream git commit
beeb2828945a41d86488e391ce440bacee0ec committed to the krb5
development branch Saturday, June 16. The upstream commit
message follows:

  Author: Thomas Sondergaard <tsondergaard@vitalimages.com>
  Date:   Sat Jun 16 18:14:50 2018 +0200

     Eliminate use of the 'register' keyword

     'register' is a reserved and unused keyword in C++17 so having it
     present in the public headers presents a a compatibility issue. Also
     in C the 'register' keyword is mostly obsolete, so remove all uses of
     it.

     [ghudson@mit.edu: adjusted style of some of the affected lines]

 

06:51 cy 

While working on the ports fallout due to the private Heimdal in base
project, a port (www/squid-devel) was discovered to be grumpy due to
numerous errors such as below:

/usr/local/include/krb5/krb5.h:3566:19: error: 'register' storage class
specifier is deprecated and incompatible with C++17
[-Werror,-Wdeprecated-register]
                  register char **name);
                  ^~~~~~~~~

The "register" keyword is meaningless and can cause grief among ports
that build against any of the krb5 ports.

 

05:55 cy 

MIT krb5 fails to build with boringssl installed due to a missing
typedef for PKCS7 in the boringssl pkcs7.h.

 

05:44 cy 

Fix build with libressl and bearssl.

PR:		228970

 

03:42 cy 

Fix logic from patch supplied in PR 217027, committed in
r433966 and r433967.

PR:		228900

 

06:18 cy 

Update 1.16 --> 1.16.1

Major changes in 1.16.1 (2018-05-03)
====================================

This is a bug fix release.

* Fix flaws in LDAP DN checking, including a null dereference KDC
  crash which could be triggered by kadmin clients with administrative
  privileges [CVE-2018-5729, CVE-2018-5730].

* Fix a KDC PKINIT memory leak.

* Fix a small KDC memory leak on transited or authdata errors when
  processing TGS requests.

* Fix a regression in pkinit_cert_match matching of client
  certificates containing Microsoft UPN SANs.

* Fix a null dereference when the KDC sends a large TGS reply.

* Fix "kdestroy -A" with the KCM credential cache type.

* Allow validation of Microsoft PACs containing enterprise names.

* Fix the handling of capaths "." values.

* Fix handling of repeated subsection specifications in profile files
  (such as when multiple included files specify relations in the same
  subsection).

 

14:53 mat 

Mark some ports broken with openssl-devel.

Sponsored by:	Absolight

 

06:50 cy 

Fix build when NLS option is unchecked.

Reported by:	Geraud CONTINSOUZAS <geraud.continsouzas@skazy.nc>

 

16:24 danfe 

Remove superfluous linefeeds.

 

15:08 danfe 

Do not abuse INSTALL_MAN when installing documentation, examples, and
other miscellaneous files which are not actually manual pages.

 

04:18 cy 

Welcome the new security/krb5-116 port. This port follows MIT's
KRB5 1.16 releases.

Major changes in 1.16 (2017-12-05)
==================================

Administrator experience:

* The KDC can match PKINIT client certificates against the
  "pkinit_cert_match" string attribute on the client principal entry,
  using the same syntax as the existing "pkinit_cert_match" profile
  option.

* The ktutil addent command supports the "-k 0" option to ignore the
  key version, and the "-s" option to use a non-default salt string.

(Only the first 15 lines of the commit message are shown above )