Message-ID:

(It is an old Debian tradition to leave at least twice a year ...) -- Sven Rudolph

devel / comp.protocols.kerberos / krb5-1.21 is released

krb5-1.21 is released

<mailman.85.1686028264.1964.kerberos@mit.edu>

https://www.rocksolidbbs.com/devel/article-flat.php?id=368&group=comp.protocols.kerberos#368

copy link Newsgroups: comp.protocols.kerberos

Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ghudson@mit.edu (Greg Hudson)
Newsgroups: comp.protocols.kerberos
Subject: krb5-1.21 is released
Date: Tue, 06 Jun 2023 01:06:32 -0400
Organization: TNet Consulting
Lines: 127
Sender: "kerberos-announce" <kerberos-announce-bounces@mit.edu>
Message-ID: <mailman.85.1686028264.1964.kerberos@mit.edu>
References: <x7dzg5ddvs7.fsf@mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="13396"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: kerberos-announce@mit.edu
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector2;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=w0WprKCUngZUhLWgkInEtTHdi7p/oh0rOgiox89sYv4=;
b=crZAKzpn5jkkHnt+WOxS/EY1e+iAmKFeY0x70HVu8IqnS3wnxKrAWkey++4AJHHinqg0MExjUPd8PYd3r53O6XIfly5jatj2HEDPpvD+5llIdpVHB9Zvq6bdLJarEUracEo+lVrvokCsDxS6yGjlRYTPLAb0HZX3DqIqhO7i6Nk=
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 18.7.21.50)
smtp.mailfrom=mit.edu; dkim=fail (signature did not verify)
header.d=mit.edu;dmarc=pass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates
18.7.21.50 as permitted sender) receiver=protection.outlook.com;
client-ip=18.7.21.50; helo=mailman.mit.edu; pr=C
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=GgtGOb5RuHuWUZKGwo0HtyVq0WuzHEZyIHuzqkiyAE0+UDYUK3qYvD4Hu9ltBhQOWTy50uEIsE5G963galZ9MdrBfeOVfIV/+J1w6XB/mphD1m+RIgPQdf4JaPK74k6jrCojuLWYXLyMe5dkpSYLSbrgXQBerP+XK1J3Dt8xp68EkFQhg1LTA/91wFjQkMUBVZ0X21UCuFQOxMawtv1Iz69s0BlIjKm/2jghSzmhrzVi47SujZPj6aeHAePOLJqb2Tu4mvC/TmYnUCn47sO71C0xRTMALahN2z9I2Gl1PaqwItJv/ad/7L4+EeW8A8XtfKpKskLGK0YEtduFHX/BAg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=vWBXXxchkicjryVPKnsqjfnamRosBsnl1mvlMTQ9vxo=;
b=k8ec8lRcVLy3ohfQUVOKyIFlq3Zyqh1Mm19OJVRD0rzFApOQe8I1mTX/pOyChQSvWMcTcKChbBv2mtNg912NZOlVKABbOE1Yz4c2UPASjuODEvwZpPU3HLfKgakODsPLc4Dsoqd1QM/PYvOczQ7rpSzrCnzu6kmO0u5YUKcRfWmWxElrNzDrg+0xtqCs0Axa7pByfDOV/kkdbxPyqc3kKpyWXE8QgQ5+1+v8I91KrizSH9Vza9MyIvc7L5ML1cbUCnnIzzir3xwZFV4NdVP5o74P2KVzSObLI6+RC7NExMDz6HwGiBmjLXVOZjVoGmYc0SqXSy6bbm5QNEeqlFaFGQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
18.9.28.11) smtp.rcpttodomain=mit.edu smtp.mailfrom=mit.edu; dmarc=pass
(p=none sp=none pct=100) action=none header.from=mit.edu; dkim=pass
(signature was verified) header.d=mit.edu; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector2;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=vWBXXxchkicjryVPKnsqjfnamRosBsnl1mvlMTQ9vxo=;
b=gOQLY1E8TUkpaS35o+DzpWWfXNQZIARQso1xiJjqWSPbhW4+HaKr8M6CgMyTLCeRTsWOhprIXu83xV6JfwdVILYQ6/FPiCBAiF9uwEf/s52wfvkS3yTRR+OUSTIe02KD9mCt4fCNMuyipde9+rOODOY2b91YAgcHBs4zLRjtxTQ=
Authentication-Results-Original: spf=pass (sender IP is 18.9.28.11)
smtp.mailfrom=mit.edu; dkim=pass (signature was verified)
header.d=mit.edu;dmarc=pass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates
18.9.28.11 as permitted sender) receiver=protection.outlook.com;
client-ip=18.9.28.11; helo=outgoing.mit.edu; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing;
t=1686027993; bh=vWBXXxchkicjryVPKnsqjfnamRosBsnl1mvlMTQ9vxo=;
h=From:To:Subject:Date;
b=oy5lwKWyLgxRIy74tlCImWgJg66u+f7KCHyJ8iIbKt5GAwZKrRnyH3QpNw/S+JXea
fyNQjXgsvDppPRd2UivJqAeTp71EAYxXgtxkai1ioYrWAW9pGZJyX5K/PxNbsk6I8P
NKNWb4SI6CMk40tKFtNJSjReSZxjcMhKkDO509e3DFxHfsON5E1hIqSRrvJNCmqZvh
xaWKGoRAGb4EzQ3Rq21MGdA6nZuvOhqowq7lvoKc0GZjz6rRp2YDwT5Lds+chd0za9
CxfdJBPU9IUH9w8OVJno1IV+158aZH6wBqbfZhWFlAe213CTniNrsCX/qwek3ui4Lb
Vn5Tgbr8vi33g==
X-EOPAttributedMessage: 1
X-MS-TrafficTypeDiagnostic: CO1PEPF000044F9:EE_|BL3PR01MB7180:EE_|SA2PEPF00001506:EE_|SJ0PR01MB8058:EE_
X-MS-Office365-Filtering-Correlation-Id: 7a010707-685d-460f-1a48-08db664c685d
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: e8R5yBl9oYB7qSfadtDk7Jm1fIbC7EikWtYWIRbe/AEp8nt4upKm0JLGg1EczLb9PmqoT5RbHWnCLBggkpJJ8lqwDHa8h+MEYCK7qa9rtKycs4FRcbh16rufDCYCW4Vxxn2oxt98q+lFmAad1lFhtjVJeD1zluxo909TkcssJaBBbOJjqRx5K5MOI2W22N9RjaXAaPsvBPmP3hHclPrBAEadTe5l8A92n9ZkvG5yy6QXyZ9LlIwm8bnojxoLtJOsHdYvXPdssn9l4M4UVsgy0kH6GgvsVgrNqWtoK2kh1BsZN9BHPOKcMBx8hYgexvBdxpUOIYhghoHwulW0G5B5XfAAvprP0kh+z0iOXRNl8G3Ps2vDw4X0sbCSK6jWfcPgWqiD0RnpCsazezScO6d/gjoy1KYc9P1/bHWQ0t/AwvzdMTxuAUmTZVSR+Ud51ds6DfZB9k1feIMRr7QuabChyBa6nDBq9jBlmuCyGP+lNWEBesLYrHoC9m8HeGwSz1CgRS43KaXxxJdpnhQOon5vQQ6ezRPW+d+wKtQOiyqlU4fEOHOKARkzKVWIzu13WW1mLIIs1+ksA7/bJnwn4b7TA7CokDhM8R9xiipk7ZV3Tk1bXE4UN3OHrHAeWe/Z4pM6YLIn4tlxxn97CEIHPIFIKh0bZLdayy1LqISKQVWd26BAE+vMCaGT9V3SnM1Dd0DawHPVnbMVRtjWXCPoBuoMOYAgozrCWIwSGqrELgBqC9Fw1J65LgSnBd3VoPEZpbVu4ZnAKlRywdy5bacxeUPxlaQihJiF6r3rH2og68KcEGE=
X-Forefront-Antispam-Report-Untrusted: CIP:18.9.28.11; CTRY:US; LANG:en;
SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:outgoing.mit.edu;
PTR:outgoing-auth-1.mit.edu; CAT:NONE;
SFS:(13230028)(4636009)(396003)(376002)(39860400002)(136003)(346002)(451199021)(2616005)(956004)(7696005)(336012)(426003)(26005)(83380400001)(966005)(478600001)(75432002)(37006003)(6636002)(356005)(786003)(68406010)(316002)(70586007)(8676002)(34206002)(86362001)(5660300002)(2906002)(36756003);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL3PR01MB7180
X-Mailman-Approved-At: Tue, 06 Jun 2023 01:09:37 -0400
X-BeenThere: kerberos-announce@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
Errors-To: kerberos-announce-bounces@mit.edu
X-MS-Exchange-Transport-CrossTenantHeadersStripped: SA2PEPF00001506.namprd04.prod.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: a042fda1-54d7-4d10-1d25-08db664bf381
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: oBEuth12YEyI9mfhOKdkTgjkvfhoom/zzVFgT43UBrXLVD1KdpnMTluUmWl08ABjIsHlNzTaQn2jno7b4MxfPStpP5UiMqMVOCbgsr+RQC3az1s4SctV0J4ULg8rViQOzw+oiVVkFw5TZLlSeTRYtgygeEDoZ9I+mgbdwIi65dxFOJTS6Qhd3jWtP0lFtkqzX80NgKrXxnT7ImGNjNN9dorjsfnGSitnIhlYLsQxhsBJv0p0qKp7SW7ZIXAxhp9WWEcO04FH3siq4CilHESgfd3yj7SfjmJmeEeCKXv5K7oBO9CjtnmsIQU2MojGxR/lX8ZCAtbzoqcDZmYU8MWkDD6IDQ/hnFziPzzNODvJR8OMfpZRoWxqWW2pgCCFMMc+FWLYlQPg57H9JPt7Nh2GgMcN8e+vUYEG7ABN493O5ZRTVseZVYaPoA+7hin0/6d26JxFI/uyYOzZnEeF9yxFD3gnjwFg6Q7FRqVjO9KSkQnjxbvcZZ/1j/1h6c/sLDBdl9vVdfRDmcCS4+KcEkaoLKTa9zgBdCXIjalWGsm2JwT30naY5ZmGYjFxCc9YvgGZ4x3sAhorcX7qernB5l+/WAZAzBfha1izeMozoXsMHynTBfYIRRpm3vT8+yjPU47eId3uOMEkw0PXFVZhIH/ZDihs+FUnn0n9V/cwCUU0ebiDoz+rjQojrzFSVIkAuAGKjPORhXV9i+4/YSew5CAU8JZiRKnczExly5pfeh1KPUg/8B7MfEWVuiWL0dkR5a5gTRKVrhjNO2MQCAEiJkis2Q==
X-Forefront-Antispam-Report: CIP:18.7.21.50; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:CAL; SFV:NSPM; H:mailman.mit.edu; PTR:mailman.mit.edu; CAT:NONE;
SFS:(13230028)(4636009)(136003)(396003)(39860400002)(376002)(346002)(451199021)(40470700004)(36840700001)(46966006)(2616005)(34206002)(956004)(336012)(47076005)(426003)(2906002)(40460700003)(83380400001)(82740400003)(7596003)(36860700001)(75432002)(40480700001)(36756003)(41300700001)(16670700002)(786003)(966005)(6636002)(316002)(7846003)(7696005)(5660300002)(9036002)(8676002)(8936002)(70206006)(70586007)(19810500001)(26005)(450100002)(478600001)(37006003)(186003)(82310400005)(1406899024);
DIR:OUT; SFP:1102;
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Jun 2023 05:10:55.2068 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 7a010707-685d-460f-1a48-08db664c685d
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=64afd9ba-0ecf-4acf-bc36-935f6235ba8b; Ip=[18.7.21.50];
Helo=[mailman.mit.edu]
X-MS-Exchange-CrossTenant-AuthSource: SA2PEPF00001506.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR01MB8058
X-BeenThere: kerberos@mit.edu
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <x7dzg5ddvs7.fsf@mit.edu>

by: Greg Hudson - Tue, 6 Jun 2023 05:06 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.21. Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.

RETRIEVING KERBEROS 5 RELEASE 1.21
==================================

You may retrieve the Kerberos 5 Release 1.21 source from the
following URL:

https://kerberos.org/dist/

The homepage for the krb5-1.21 release is:

https://web.mit.edu/kerberos/krb5-1.21/

Further information about Kerberos 5 may be found at the following
URL:

https://web.mit.edu/kerberos/

and at the MIT Kerberos Consortium web site:

https://www.kerberos.org/

PAC transitions
===============

Beginning with release 1.20, the KDC will include minimal PACs in
tickets instead of AD-SIGNEDPATH authdata. S4U requests (protocol
transition and constrained delegation) must now contain valid PACs in
the incoming tickets. Beginning with release 1.21, service ticket
PACs will contain a new KDC checksum buffer, to mitigate a hash
collision attack against the old KDC checksum. If only some KDCs in a
realm have been upgraded across versions 1.20 or 1.21, the upgraded
KDCs will reject S4U requests containing tickets from non-upgraded
KDCs and vice versa.

Triple-DES and RC4 transitions
==============================

Beginning with the krb5-1.21 release, the KDC will not issue tickets
with triple-DES or RC4 session keys unless explicitly configured using
the new allow_des3 and allow_rc4 variables in [libdefaults]. To
facilitate the negotiation of session keys, the KDC will assume that
all services can handle aes256-sha1 session keys unless the service
principal has a session_enctypes string attribute.

Beginning with the krb5-1.19 release, a warning will be issued if
initial credentials are acquired using the des3-cbc-sha1 encryption
type. Beginning with the krb5-1.21 release, a warning will also be
issued for the arcfour-hmac encryption type. In future releases,
these encryption types will be disabled by default and eventually
removed.

Beginning with the krb5-1.18 release, all support for single-DES
encryption types has been removed.

Major changes in 1.21 (2023-06-05)
==================================

User experience:

* Added a credential cache type providing compatibility with the macOS
11 native credential cache.

Developer experience:

* libkadm5 will use the provided krb5_context object to read
configuration values, instead of creating its own.

* Added an interface to retrieve the ticket session key from a GSS
context.

Protocol evolution:

* The KDC will no longer issue tickets with RC4 or triple-DES session
keys unless explicitly configured with the new allow_rc4 or
allow_des3 variables respectively.

* The KDC will assume that all services can handle aes256-sha1 session
keys unless the service principal has a session_enctypes string
attribute.

* Support for PAC full KDC checksums has been added to mitigate an
S4U2Proxy privilege escalation attack.

* The PKINIT client will advertise a more modern set of supported CMS
algorithms.

Code quality:

* Removed unused code in libkrb5, libkrb5support, and the PKINIT
module.

* Modernized the KDC code for processing TGS requests, the code for
encrypting and decrypting key data, the PAC handling code, and the
GSS library packet parsing and composition code.

* Improved the test framework's detection of memory errors in daemon
processes when used with asan.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmR+vpAACgkQDLoIV1+D
ct9UkxAAy2RjigQHq5EflPJBfRWUB6olwpOJRoNKWL17iUKoRh4ZtJe7pUt1dcdQ
8W/3p1oTgnk1yWMkUQCP2RR5YlmmTllB+/umUjwBQzvFtvjTfoWhvURVsJbTfyi1
SN4tUKvPlizd6dNM/08ad9A4IN7LD+8qlP1k6qgjzL0eXYHrMoDXYXZNUmi/Ekse
VdHnW9ols1P6rqSfD5x86r8QoflYbAit4tylOf6xAfDeBuQiJmEvl0fYkRGr6gGJ
Gaep55XZcgxKisyHuJZh5w7+iE9FiZff5xsGKBxT/BzdUWoI+6Wot9CWnMcaHjaO
Eg9ohgfk3dY9XH5SsG0Xzb7yrRSy2zeuGHoB+GfeUx8vFBGYCxApmpV89zX/5g75
FVOd5TPCuZrfR0hbBwHrKAPE3/WEslRU5zTduHEK38IGQ9++YxuphH6W9/aYBiHJ
9Dzcn5G7W9o5r3WL967/CfH6BHispTYoE07CQfjL22cb9euwD44UdLS/g1qijbED
MlEaC45afN3aXAPSV+D4fPe/7d/5iYAc5BT6U+P/hlZkJOAIOLPMM+FeaHW6gGKy
x+Ip5I45i2ZVc+b8OUI3jXonYRIg5ADxbvZt2Eu4WYFd22ipEyjwQCBqaXuXWE0P
VRgX11z1iZjKdAZcwzaDfyzXO6Una+CVfsKf6i2wKdTJrSAnVUQ=
=CUot
-----END PGP SIGNATURE-----
_______________________________________________
kerberos-announce mailing list
kerberos-announce@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos-announce