Forum: Too Lazy BBS

Who's Online
Recent Visitors
- Geek2
  Mon Sep 1 08:59:52 2025
  from Euclid, Oh via Telnet
- Geek2
  Sun Aug 31 07:54:36 2025
  from Euclid, Oh via Telnet
- Geek2
  Sat Aug 30 11:27:18 2025
  from Euclid, Oh via Telnet
- Rixter
  Sat Aug 30 08:55:58 2025
  from Madison, Nc via SSH

System Info

Sysop:	Amessyroom
Location:	Fayetteville, NC
Users:	23
Nodes:	6 (0 / 6)
Uptime:	56:58:47
Calls:	584
Calls today:	1
Files:	1,139
D/L today:	179 files (27,921K bytes)
Messages:	112,134

krb5-1.22 is released

From Greg Hudson@ghudson@mit.edu to kerberos-announce on Wed Aug 6 15:49:08 2025

From Newsgroup: comp.protocols.kerberos

The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.22. Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.

RETRIEVING KERBEROS 5 RELEASE 1.22
==================================

You may retrieve the Kerberos 5 Release 1.22 source from the
following URL:

https://kerberos.org/dist/

The homepage for the krb5-1.22 release is:

https://web.mit.edu/kerberos/krb5-1.22/

Further information about Kerberos 5 may be found at the following
URL:

https://web.mit.edu/kerberos/

and at the MIT Kerberos Consortium web site:

https://www.kerberos.org/

PAC transitions
===============

Beginning with release 1.20, the KDC will include minimal PACs in
tickets instead of AD-SIGNEDPATH authdata. S4U requests (protocol
transition and constrained delegation) must now contain valid PACs in
the incoming tickets. Beginning with release 1.21, service ticket
PACs will contain a new KDC checksum buffer, to mitigate a hash
collision attack against the old KDC checksum. If only some KDCs in a
realm have been upgraded across versions 1.20 or 1.21, the upgraded
KDCs will reject S4U requests containing tickets from non-upgraded
KDCs and vice versa.

Triple-DES and RC4 transitions
==============================

Beginning with the krb5-1.21 release, the KDC will not issue tickets
with triple-DES or RC4 session keys unless explicitly configured using
the new allow_des3 and allow_rc4 variables in [libdefaults]. To
facilitate the negotiation of session keys, the KDC will assume that
all services can handle aes256-sha1 session keys unless the service
principal has a session_enctypes string attribute.

Beginning with the krb5-1.19 release, a warning will be issued if
initial credentials are acquired using the des3-cbc-sha1 encryption
type. Beginning with the krb5-1.21 release, a warning will also be
issued for the arcfour-hmac encryption type. In future releases,
these encryption types will be disabled by default and eventually
removed.

Beginning with the krb5-1.18 release, all support for single-DES
encryption types has been removed.

Major changes in 1.22 (2025-08-05)
==================================

User experience:

* The libdefaults configuration variable "request_timeout" can be set
to limit the total timeout for KDC requests. When making a KDC
request, the client will now wait indefinitely (or until the request
timeout has elapsed) on a KDC which accepts a TCP connection,
without contacting any additional KDCs. Clients will make fewer DNS
queries in some configurations.

* The realm configuration variable "sitename" can be set to cause the
client to query site-specific DNS records when making KDC requests.

Administrator experience:

* Principal aliases are supported in the DB2 and LMDB KDB modules and
in the kadmin protocol. (The LDAP KDB module has supported aliases
since release 1.7.)

* UNIX domain sockets are supported for the Kerberos and kpasswd
protocols.

* systemd socket activation is supported for krb5kdc and kadmind.

Developer experience:

* KDB modules can be be implemented in terms of other modules using
the new krb5_db_load_module() function.

* The profile library supports the modification of empty profiles and
the copying of modified profiles, making it possible to construct an
in-memory profile and pass it to krb5_init_context_profile().

* GSS-API applications can pass the GSS_C_CHANNEL_BOUND flag to
gss_init_sec_context() to request strict enforcement of channel
bindings by the acceptor.

Protocol evolution:

* The PKINIT preauth module supports elliptic curve client
certificates, ECDH key exchange, and the Microsoft paChecksum2
field.

* The IAKERB implementation has been changed to comply with the most
recent draft standard and to support realm discovery.

* Message-Authenticator is supported in the RADIUS implementation used
by the OTP kdcpreauth module.

Code quality:

* Removed old-style function declarations, to accomodate compilers
which have removed support for them.

* Added OSS-Fuzz to the project's continuous integration
infrastructure.

* Rewrote the GSS per-message token parsing code for improved safety. _______________________________________________
kerberos-announce mailing list
kerberos-announce@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos-announce
--- Synchronet 3.21a-Linux NewsLink 1.2

Who's Online

Recent Visitors

System Info

krb5-1.22 is released