Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 6 Dec 2017 04:18:14 +0000 (UTC)
From:      Cy Schubert <cy@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r455634 - in head/security: . krb5 krb5-116
Message-ID:  <201712060418.vB64IEkR090987@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: cy
Date: Wed Dec  6 04:18:14 2017
New Revision: 455634
URL: https://svnweb.freebsd.org/changeset/ports/455634

Log:
  Welcome the new security/krb5-116 port. This port follows MIT's
  KRB5 1.16 releases.
  
  Major changes in 1.16 (2017-12-05)
  ==================================
  
  Administrator experience:
  
  * The KDC can match PKINIT client certificates against the
    "pkinit_cert_match" string attribute on the client principal entry,
    using the same syntax as the existing "pkinit_cert_match" profile
    option.
  
  * The ktutil addent command supports the "-k 0" option to ignore the
    key version, and the "-s" option to use a non-default salt string.
  
  * kpropd supports a --pid-file option to write a pid file at startup,
    when it is run in standalone mode.
  
  * The "encrypted_challenge_indicator" realm option can be used to
    attach an authentication indicator to tickets obtained using FAST
    encrypted challenge pre-authentication.
  
  * Localization support can be disabled at build time with the
    --disable-nls configure option.
  
  Developer experience:
  
  * The kdcpolicy pluggable interface allows modules control whether
    tickets are issued by the KDC.
  
  * The kadm5_auth pluggable interface allows modules to control whether
    kadmind grants access to a kadmin request.
  
  * The certauth pluggable interface allows modules to control which
    PKINIT client certificates can authenticate to which client
    principals.
  
  * KDB modules can use the client and KDC interface IP addresses to
    determine whether to allow an AS request.
  
  * GSS applications can query the bit strength of a krb5 GSS context
    using the GSS_C_SEC_CONTEXT_SASL_SSF OID with
    gss_inquire_sec_context_by_oid().
  
  * GSS applications can query the impersonator name of a krb5 GSS
    credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with
    gss_inquire_cred_by_oid().
  
  * kdcpreauth modules can query the KDC for the canonicalized requested
    client principal name, or match a principal name against the
    requested client principal name with canonicalization.
  
  Protocol evolution:
  
  * The client library will continue to try pre-authentication
    mechanisms after most failure conditions.
  
  * The KDC will issue trivially renewable tickets (where the renewable
    lifetime is equal to or less than the ticket lifetime) if requested
    by the client, to be friendlier to scripts.
  
  * The client library will use a random nonce for TGS requests instead
    of the current system time.
  
  * For the RC4 string-to-key or PAC operations, UTF-16 is supported
    (previously only UCS-2 was supported).
  
  * When matching PKINIT client certificates, UPN SANs will be matched
    correctly as UPNs, with canonicalization.
  
  User experience:
  
  * Dates after the year 2038 are accepted (provided that the platform
    time facilities support them), through the year 2106.
  
  * Automatic credential cache selection based on the client realm will
    take into account the fallback realm and the service hostname.
  
  * Referral and alternate cross-realm TGTs will not be cached, avoiding
    some scenarios where they can be added to the credential cache
    multiple times.
  
  * A German translation has been added.

Added:
  head/security/krb5-116/
     - copied from r455584, head/security/krb5-115/
Modified:
  head/security/Makefile
  head/security/krb5-116/Makefile
  head/security/krb5-116/distinfo
  head/security/krb5-116/pkg-plist
  head/security/krb5/Makefile

Modified: head/security/Makefile
==============================================================================
--- head/security/Makefile	Wed Dec  6 02:41:21 2017	(r455633)
+++ head/security/Makefile	Wed Dec  6 04:18:14 2017	(r455634)
@@ -312,6 +312,7 @@
     SUBDIR += krb5
     SUBDIR += krb5-114
     SUBDIR += krb5-115
+    SUBDIR += krb5-116
     SUBDIR += krb5-appl
     SUBDIR += krb5-devel
     SUBDIR += kripp

Modified: head/security/krb5-116/Makefile
==============================================================================
--- head/security/krb5-115/Makefile	Tue Dec  5 14:01:12 2017	(r455584)
+++ head/security/krb5-116/Makefile	Wed Dec  6 04:18:14 2017	(r455634)
@@ -2,11 +2,11 @@
 # $FreeBSD$
 
 PORTNAME=		krb5
-PORTVERSION=		1.15.2
+PORTVERSION=		1.16
 CATEGORIES=		security
 MASTER_SITES=		http://web.mit.edu/kerberos/dist/${PORTNAME}/${PORTVERSION:C/^[0-9]*\.[0-9]*/&X/:C/X\.[0-9]*$//:C/X//}/
 .if !defined(MASTERDIR)
-PKGNAMESUFFIX=		-115
+PKGNAMESUFFIX=		-116
 .endif
 
 PATCH_SITES=		http://web.mit.edu/kerberos/advisories/

Modified: head/security/krb5-116/distinfo
==============================================================================
--- head/security/krb5-115/distinfo	Tue Dec  5 14:01:12 2017	(r455584)
+++ head/security/krb5-116/distinfo	Wed Dec  6 04:18:14 2017	(r455634)
@@ -1,3 +1,3 @@
-TIMESTAMP = 1506419874
-SHA256 (krb5-1.15.2.tar.gz) = 1639e392edf25e3b6cfec2ae68f97eb53e07c2dbe74bfeede0108465d5d1c87e
-SIZE (krb5-1.15.2.tar.gz) = 9380755
+TIMESTAMP = 1512508523
+SHA256 (krb5-1.16.tar.gz) = faeb125f83b0fb4cdb2f99f088140631bb47d975982de0956d18c85842969e08
+SIZE (krb5-1.16.tar.gz) = 9474479

Modified: head/security/krb5-116/pkg-plist
==============================================================================
--- head/security/krb5-115/pkg-plist	Tue Dec  5 14:01:12 2017	(r455584)
+++ head/security/krb5-116/pkg-plist	Wed Dec  6 04:18:14 2017	(r455634)
@@ -49,6 +49,7 @@ include/krb5/ccselect_plugin.h
 include/krb5/clpreauth_plugin.h
 include/krb5/hostrealm_plugin.h
 include/krb5/kadm5_hook_plugin.h
+include/krb5/kdcpolicy_plugin.h
 include/krb5/kdcpreauth_plugin.h
 include/krb5/localauth_plugin.h
 include/krb5/krb5.h
@@ -57,8 +58,10 @@ include/krb5/plugin.h
 include/krb5/pwqual_plugin.h
 include/kadm5/admin.h
 include/kadm5/chpass_util_strings.h
+include/krb5/kadm5_auth_plugin.h
 include/kadm5/kadm_err.h
 include/kdb.h
+include/krb5/certauth_plugin.h
 include/krb5/preauth_plugin.h
 include/profile.h
 include/verto-module.h
@@ -84,8 +87,8 @@ lib/libkadm5srv_mit.so
 lib/libkadm5srv_mit.so.11
 lib/libkadm5srv_mit.so.11.0
 lib/libkdb5.so
-lib/libkdb5.so.8
-lib/libkdb5.so.8.0
+lib/libkdb5.so.9
+lib/libkdb5.so.9.0
 lib/libkrb5.so
 lib/libkrb5.so.3
 lib/libkrb5.so.3.3
@@ -159,6 +162,7 @@ sbin/sserver
 sbin/uuserver
 share/et/et_c.awk
 share/et/et_h.awk
+%%NLS%%share/locale/de/LC_MESSAGES/mit-krb5.mo
 %%NLS%%share/locale/en_US/LC_MESSAGES/mit-krb5.mo
 %%LDAP%%%%DATADIR%%/kerberos.schema
 %%LDAP%%%%DATADIR%%/kerberos.ldif

Modified: head/security/krb5/Makefile
==============================================================================
--- head/security/krb5/Makefile	Wed Dec  6 02:41:21 2017	(r455633)
+++ head/security/krb5/Makefile	Wed Dec  6 04:18:14 2017	(r455634)
@@ -1,6 +1,6 @@
 # $FreeBSD$
 
-VERSIONS=		114 115
+VERSIONS=		114 115 116
 KRB5_VERSION?=		115
 
 MASTERDIR=		${.CURDIR}/../krb5-${KRB5_VERSION}



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201712060418.vB64IEkR090987>