From owner-svn-ports-all@freebsd.org Wed Dec 6 04:18:15 2017 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B3EA3E8F08F; Wed, 6 Dec 2017 04:18:15 +0000 (UTC) (envelope-from cy@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8053A1F48; Wed, 6 Dec 2017 04:18:15 +0000 (UTC) (envelope-from cy@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id vB64IEc9090992; Wed, 6 Dec 2017 04:18:14 GMT (envelope-from cy@FreeBSD.org) Received: (from cy@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id vB64IEkR090987; Wed, 6 Dec 2017 04:18:14 GMT (envelope-from cy@FreeBSD.org) Message-Id: <201712060418.vB64IEkR090987@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: cy set sender to cy@FreeBSD.org using -f From: Cy Schubert Date: Wed, 6 Dec 2017 04:18:14 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r455634 - in head/security: . krb5 krb5-116 X-SVN-Group: ports-head X-SVN-Commit-Author: cy X-SVN-Commit-Paths: in head/security: . krb5 krb5-116 X-SVN-Commit-Revision: 455634 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2017 04:18:15 -0000 Author: cy Date: Wed Dec 6 04:18:14 2017 New Revision: 455634 URL: https://svnweb.freebsd.org/changeset/ports/455634 Log: Welcome the new security/krb5-116 port. This port follows MIT's KRB5 1.16 releases. Major changes in 1.16 (2017-12-05) ================================== Administrator experience: * The KDC can match PKINIT client certificates against the "pkinit_cert_match" string attribute on the client principal entry, using the same syntax as the existing "pkinit_cert_match" profile option. * The ktutil addent command supports the "-k 0" option to ignore the key version, and the "-s" option to use a non-default salt string. * kpropd supports a --pid-file option to write a pid file at startup, when it is run in standalone mode. * The "encrypted_challenge_indicator" realm option can be used to attach an authentication indicator to tickets obtained using FAST encrypted challenge pre-authentication. * Localization support can be disabled at build time with the --disable-nls configure option. Developer experience: * The kdcpolicy pluggable interface allows modules control whether tickets are issued by the KDC. * The kadm5_auth pluggable interface allows modules to control whether kadmind grants access to a kadmin request. * The certauth pluggable interface allows modules to control which PKINIT client certificates can authenticate to which client principals. * KDB modules can use the client and KDC interface IP addresses to determine whether to allow an AS request. * GSS applications can query the bit strength of a krb5 GSS context using the GSS_C_SEC_CONTEXT_SASL_SSF OID with gss_inquire_sec_context_by_oid(). * GSS applications can query the impersonator name of a krb5 GSS credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with gss_inquire_cred_by_oid(). * kdcpreauth modules can query the KDC for the canonicalized requested client principal name, or match a principal name against the requested client principal name with canonicalization. Protocol evolution: * The client library will continue to try pre-authentication mechanisms after most failure conditions. * The KDC will issue trivially renewable tickets (where the renewable lifetime is equal to or less than the ticket lifetime) if requested by the client, to be friendlier to scripts. * The client library will use a random nonce for TGS requests instead of the current system time. * For the RC4 string-to-key or PAC operations, UTF-16 is supported (previously only UCS-2 was supported). * When matching PKINIT client certificates, UPN SANs will be matched correctly as UPNs, with canonicalization. User experience: * Dates after the year 2038 are accepted (provided that the platform time facilities support them), through the year 2106. * Automatic credential cache selection based on the client realm will take into account the fallback realm and the service hostname. * Referral and alternate cross-realm TGTs will not be cached, avoiding some scenarios where they can be added to the credential cache multiple times. * A German translation has been added. Added: head/security/krb5-116/ - copied from r455584, head/security/krb5-115/ Modified: head/security/Makefile head/security/krb5-116/Makefile head/security/krb5-116/distinfo head/security/krb5-116/pkg-plist head/security/krb5/Makefile Modified: head/security/Makefile ============================================================================== --- head/security/Makefile Wed Dec 6 02:41:21 2017 (r455633) +++ head/security/Makefile Wed Dec 6 04:18:14 2017 (r455634) @@ -312,6 +312,7 @@ SUBDIR += krb5 SUBDIR += krb5-114 SUBDIR += krb5-115 + SUBDIR += krb5-116 SUBDIR += krb5-appl SUBDIR += krb5-devel SUBDIR += kripp Modified: head/security/krb5-116/Makefile ============================================================================== --- head/security/krb5-115/Makefile Tue Dec 5 14:01:12 2017 (r455584) +++ head/security/krb5-116/Makefile Wed Dec 6 04:18:14 2017 (r455634) @@ -2,11 +2,11 @@ # $FreeBSD$ PORTNAME= krb5 -PORTVERSION= 1.15.2 +PORTVERSION= 1.16 CATEGORIES= security MASTER_SITES= http://web.mit.edu/kerberos/dist/${PORTNAME}/${PORTVERSION:C/^[0-9]*\.[0-9]*/&X/:C/X\.[0-9]*$//:C/X//}/ .if !defined(MASTERDIR) -PKGNAMESUFFIX= -115 +PKGNAMESUFFIX= -116 .endif PATCH_SITES= http://web.mit.edu/kerberos/advisories/ Modified: head/security/krb5-116/distinfo ============================================================================== --- head/security/krb5-115/distinfo Tue Dec 5 14:01:12 2017 (r455584) +++ head/security/krb5-116/distinfo Wed Dec 6 04:18:14 2017 (r455634) @@ -1,3 +1,3 @@ -TIMESTAMP = 1506419874 -SHA256 (krb5-1.15.2.tar.gz) = 1639e392edf25e3b6cfec2ae68f97eb53e07c2dbe74bfeede0108465d5d1c87e -SIZE (krb5-1.15.2.tar.gz) = 9380755 +TIMESTAMP = 1512508523 +SHA256 (krb5-1.16.tar.gz) = faeb125f83b0fb4cdb2f99f088140631bb47d975982de0956d18c85842969e08 +SIZE (krb5-1.16.tar.gz) = 9474479 Modified: head/security/krb5-116/pkg-plist ============================================================================== --- head/security/krb5-115/pkg-plist Tue Dec 5 14:01:12 2017 (r455584) +++ head/security/krb5-116/pkg-plist Wed Dec 6 04:18:14 2017 (r455634) @@ -49,6 +49,7 @@ include/krb5/ccselect_plugin.h include/krb5/clpreauth_plugin.h include/krb5/hostrealm_plugin.h include/krb5/kadm5_hook_plugin.h +include/krb5/kdcpolicy_plugin.h include/krb5/kdcpreauth_plugin.h include/krb5/localauth_plugin.h include/krb5/krb5.h @@ -57,8 +58,10 @@ include/krb5/plugin.h include/krb5/pwqual_plugin.h include/kadm5/admin.h include/kadm5/chpass_util_strings.h +include/krb5/kadm5_auth_plugin.h include/kadm5/kadm_err.h include/kdb.h +include/krb5/certauth_plugin.h include/krb5/preauth_plugin.h include/profile.h include/verto-module.h @@ -84,8 +87,8 @@ lib/libkadm5srv_mit.so lib/libkadm5srv_mit.so.11 lib/libkadm5srv_mit.so.11.0 lib/libkdb5.so -lib/libkdb5.so.8 -lib/libkdb5.so.8.0 +lib/libkdb5.so.9 +lib/libkdb5.so.9.0 lib/libkrb5.so lib/libkrb5.so.3 lib/libkrb5.so.3.3 @@ -159,6 +162,7 @@ sbin/sserver sbin/uuserver share/et/et_c.awk share/et/et_h.awk +%%NLS%%share/locale/de/LC_MESSAGES/mit-krb5.mo %%NLS%%share/locale/en_US/LC_MESSAGES/mit-krb5.mo %%LDAP%%%%DATADIR%%/kerberos.schema %%LDAP%%%%DATADIR%%/kerberos.ldif Modified: head/security/krb5/Makefile ============================================================================== --- head/security/krb5/Makefile Wed Dec 6 02:41:21 2017 (r455633) +++ head/security/krb5/Makefile Wed Dec 6 04:18:14 2017 (r455634) @@ -1,6 +1,6 @@ # $FreeBSD$ -VERSIONS= 114 115 +VERSIONS= 114 115 116 KRB5_VERSION?= 115 MASTERDIR= ${.CURDIR}/../krb5-${KRB5_VERSION}