non port: security/krb5-116/Makefile |
Number of commits found: 21 |
Wednesday, 19 Feb 2020
|
02:42 cy
Welcome the new KRB5 1.18 (krb5-118)
In addition, deprecate krb5-116 to retire one year after the release
of krb5-118: Feb 12, 2021.
Major changes in 1.18 (2020-02-12)
==================================
Administrator experience:
* Remove support for single-DES encryption types.
* Change the replay cache format to be more efficient and robust.
Replay cache filenames using the new format end with ".rcache2" by
default.
* setuid programs will automatically ignore environment variables that
normally affect krb5 API functions, even if the caller does not use
krb5_init_secure_context().
* Add an "enforce_ok_as_delegate" krb5.conf relation to disable
credential forwarding during GSSAPI authentication unless the KDC
sets the ok-as-delegate bit in the service ticket.
* Use the permitted_enctypes krb5.conf setting as the default value
for default_tkt_enctypes and default_tgs_enctypes.
Developer experience:
* Implement krb5_cc_remove_cred() for all credential cache types.
* Add the krb5_pac_get_client_info() API to get the client account
name from a PAC.
Protocol evolution:
* Add KDC support for S4U2Self requests where the user is identified
by X.509 certificate. (Requires support for certificate lookup from
a third-party KDB module.)
* Remove support for an old ("draft 9") variant of PKINIT.
* Add support for Microsoft NegoEx. (Requires one or more third-party
GSS modules implementing NegoEx mechanisms.)
* Honor the transited-policy-checked ticket flag on application
servers, eliminating the requirement to configure capaths on
servers in some scenarios.
User experience:
* Add support for "dns_canonicalize_hostname=fallback""`, causing
host-based principal names to be tried first without DNS
canonicalization, and again with DNS canonicalization if the
un-canonicalized server is not found.
* Expand single-component hostnames in host-based principal names when
DNS canonicalization is not used, adding the system's first DNS
search path as a suffix. Add a "qualify_shortname" krb5.conf
relation to override this suffix or disable expansion.
Code quality:
* The libkrb5 serialization code (used to export and import krb5 GSS
security contexts) has been simplified and made type-safe.
* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
messages has been revised to conform to current coding practices.
* The test suite has been modified to work with macOS System Integrity
Protection enabled.
* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11
support can always be tested.
|
Thursday, 12 Dec 2019
|
20:55 cy
Update 1.16.3 --> 1.16.4
|
Tuesday, 9 Apr 2019
|
14:04 sunpoet
Update devel/readline to 8.0
- Bump PORTREVISION of dependent ports for shlib change
Changes: https://tiswww.case.edu/php/chet/readline/CHANGES
PR: 236156
Exp-run by: antoine
|
Friday, 15 Feb 2019
|
04:37 cy
Provide a script from which to start krb5kdc through /etc/rc.d/kdc.
Simply add kdc_enable="YES" and kdc_program="/usr/local/sbin/kdc"
to /etc/rc.d. The script removes the Heimdal kdc --detach argument
prior to invoking krb5kdc.
The other approach that was considered was to replace getopt() in
kdc/main.c with getopt_long() however this approach was considered too
intrusive.
|
Sunday, 13 Jan 2019
|
15:57 cy
pkgconfig is used at build time, not runtime.
MFH: 2019Q1 (krb5-devel will need to have all its previous
commits brought up to level in 2019Q1 first)
|
Tuesday, 8 Jan 2019
|
20:29 cy
Welcome the new KRB5 1.17 (krb5-117).
Major changes in 1.17 (2019-01-08)
==================================
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Changes to the FreeBSD krb5* ports include:
* CONFLICTS updated in krb5-115 and krb5-116 taking krb5-117 in
consideration.
* The default krb5 port is now krb5-117.
* MIT's practice is to EOL KRB5 n-2. krb5-115 is deprecated and set
to expire Jan 31, 2020.
|
20:02 cy
Correct CONFLICTS.
MFH: 2019Q1
|
01:41 cy
Update 1.16.2 --> 1.16.3
Major changes in 1.16.3 (2019-01-07)
====================================
This is a bug fix release.
* Fix a regression in the MEMORY credential cache type which could
cause client programs to crash.
* MEMORY credential caches will not be listed in the global
collection, with the exception of the default credential cache if it
is of type MEMORY.
* Remove an incorrect assertion in the KDC which could be used to
cause a crash [CVE-2018-20217].
MFH: 2019Q1
|
Friday, 2 Nov 2018
|
15:51 cy
krb5-116: update 1.16.1 --> 1.16.2
|
Monday, 2 Jul 2018
|
05:57 cy
While working the ports fallout due to making Hemidal in base
private it was discovered that com_err.3, though distributed in
the tarball, was not installed. Install it.
|
Tuesday, 19 Jun 2018
|
13:38 cy
Revert r472760 and instead use upstream git commit
beeb2828945a41d86488e391ce440bacee0ec committed to the krb5
development branch Saturday, June 16. The upstream commit
message follows:
Author: Thomas Sondergaard <tsondergaard@vitalimages.com>
Date: Sat Jun 16 18:14:50 2018 +0200
Eliminate use of the 'register' keyword
'register' is a reserved and unused keyword in C++17 so having it
present in the public headers presents a a compatibility issue. Also
in C the 'register' keyword is mostly obsolete, so remove all uses of
it.
[ghudson@mit.edu: adjusted style of some of the affected lines]
|
06:51 cy
While working on the ports fallout due to the private Heimdal in base
project, a port (www/squid-devel) was discovered to be grumpy due to
numerous errors such as below:
/usr/local/include/krb5/krb5.h:3566:19: error: 'register' storage class
specifier is deprecated and incompatible with C++17
[-Werror,-Wdeprecated-register]
register char **name);
^~~~~~~~~
The "register" keyword is meaningless and can cause grief among ports
that build against any of the krb5 ports.
|
Wednesday, 13 Jun 2018
|
05:55 cy
MIT krb5 fails to build with boringssl installed due to a missing
typedef for PKCS7 in the boringssl pkcs7.h.
|
05:44 cy
Fix build with libressl and bearssl.
PR: 228970
|
Tuesday, 12 Jun 2018
|
03:42 cy
Fix logic from patch supplied in PR 217027, committed in
r433966 and r433967.
PR: 228900
|
Friday, 4 May 2018
|
06:18 cy
Update 1.16 --> 1.16.1
Major changes in 1.16.1 (2018-05-03)
====================================
This is a bug fix release.
* Fix flaws in LDAP DN checking, including a null dereference KDC
crash which could be triggered by kadmin clients with administrative
privileges [CVE-2018-5729, CVE-2018-5730].
* Fix a KDC PKINIT memory leak.
* Fix a small KDC memory leak on transited or authdata errors when
processing TGS requests.
* Fix a regression in pkinit_cert_match matching of client
certificates containing Microsoft UPN SANs.
* Fix a null dereference when the KDC sends a large TGS reply.
* Fix "kdestroy -A" with the KCM credential cache type.
* Allow validation of Microsoft PACs containing enterprise names.
* Fix the handling of capaths "." values.
* Fix handling of repeated subsection specifications in profile files
(such as when multiple included files specify relations in the same
subsection).
|
Thursday, 29 Mar 2018
|
14:53 mat
Mark some ports broken with openssl-devel.
Sponsored by: Absolight
|
Friday, 2 Feb 2018
|
06:50 cy
Fix build when NLS option is unchecked.
Reported by: Geraud CONTINSOUZAS <geraud.continsouzas@skazy.nc>
|
Thursday, 11 Jan 2018
|
16:24 danfe
Remove superfluous linefeeds.
|
Wednesday, 10 Jan 2018
|
15:08 danfe
Do not abuse INSTALL_MAN when installing documentation, examples, and
other miscellaneous files which are not actually manual pages.
|
Wednesday, 6 Dec 2017
|
04:18 cy
Welcome the new security/krb5-116 port. This port follows MIT's
KRB5 1.16 releases.
Major changes in 1.16 (2017-12-05)
==================================
Administrator experience:
* The KDC can match PKINIT client certificates against the
"pkinit_cert_match" string attribute on the client principal entry,
using the same syntax as the existing "pkinit_cert_match" profile
option.
* The ktutil addent command supports the "-k 0" option to ignore the
key version, and the "-s" option to use a non-default salt string. (Only the first 15 lines of the commit message are shown above )
|
Number of commits found: 21 |