Date: Wed, 19 Feb 2020 02:42:55 +0000 (UTC) From: Cy Schubert <cy@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r526479 - in head/security: . krb5 krb5-116 krb5-118 krb5-118/files Message-ID: <202002190242.01J2gtbu063804@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cy Date: Wed Feb 19 02:42:55 2020 New Revision: 526479 URL: https://svnweb.freebsd.org/changeset/ports/526479 Log: Welcome the new KRB5 1.18 (krb5-118) In addition, deprecate krb5-116 to retire one year after the release of krb5-118: Feb 12, 2021. Major changes in 1.18 (2020-02-12) ================================== Administrator experience: * Remove support for single-DES encryption types. * Change the replay cache format to be more efficient and robust. Replay cache filenames using the new format end with ".rcache2" by default. * setuid programs will automatically ignore environment variables that normally affect krb5 API functions, even if the caller does not use krb5_init_secure_context(). * Add an "enforce_ok_as_delegate" krb5.conf relation to disable credential forwarding during GSSAPI authentication unless the KDC sets the ok-as-delegate bit in the service ticket. * Use the permitted_enctypes krb5.conf setting as the default value for default_tkt_enctypes and default_tgs_enctypes. Developer experience: * Implement krb5_cc_remove_cred() for all credential cache types. * Add the krb5_pac_get_client_info() API to get the client account name from a PAC. Protocol evolution: * Add KDC support for S4U2Self requests where the user is identified by X.509 certificate. (Requires support for certificate lookup from a third-party KDB module.) * Remove support for an old ("draft 9") variant of PKINIT. * Add support for Microsoft NegoEx. (Requires one or more third-party GSS modules implementing NegoEx mechanisms.) * Honor the transited-policy-checked ticket flag on application servers, eliminating the requirement to configure capaths on servers in some scenarios. User experience: * Add support for "dns_canonicalize_hostname=fallback""`, causing host-based principal names to be tried first without DNS canonicalization, and again with DNS canonicalization if the un-canonicalized server is not found. * Expand single-component hostnames in host-based principal names when DNS canonicalization is not used, adding the system's first DNS search path as a suffix. Add a "qualify_shortname" krb5.conf relation to override this suffix or disable expansion. Code quality: * The libkrb5 serialization code (used to export and import krb5 GSS security contexts) has been simplified and made type-safe. * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED messages has been revised to conform to current coding practices. * The test suite has been modified to work with macOS System Integrity Protection enabled. * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support can always be tested. Added: head/security/krb5-118/ - copied from r526452, head/security/krb5-117/ Modified: head/security/Makefile head/security/krb5-116/Makefile head/security/krb5-118/Makefile head/security/krb5-118/distinfo head/security/krb5-118/files/patch-clients__ksu__Makefile.in head/security/krb5-118/pkg-plist head/security/krb5/Makefile Modified: head/security/Makefile ============================================================================== --- head/security/Makefile Tue Feb 18 22:57:12 2020 (r526478) +++ head/security/Makefile Wed Feb 19 02:42:55 2020 (r526479) @@ -262,6 +262,7 @@ SUBDIR += krb5 SUBDIR += krb5-116 SUBDIR += krb5-117 + SUBDIR += krb5-118 SUBDIR += krb5-appl SUBDIR += krb5-devel SUBDIR += kripp Modified: head/security/krb5-116/Makefile ============================================================================== --- head/security/krb5-116/Makefile Tue Feb 18 22:57:12 2020 (r526478) +++ head/security/krb5-116/Makefile Wed Feb 19 02:42:55 2020 (r526479) @@ -15,6 +15,9 @@ PATCH_DIST_STRIP= -p2 MAINTAINER= cy@FreeBSD.org COMMENT= MIT implementation of RFC 4120 network authentication service +DEPRECATED= EOL one year after the release of krb5 1.18 +EXPIRATION_DATE= 2021-02-12 + LICENSE= MIT CONFLICTS= heimdal-[0-9]* srp-[0-9]* krb5-11[3457]-[0-9]* \ Modified: head/security/krb5-118/Makefile ============================================================================== --- head/security/krb5-117/Makefile Tue Feb 18 11:09:59 2020 (r526452) +++ head/security/krb5-118/Makefile Wed Feb 19 02:42:55 2020 (r526479) @@ -2,11 +2,11 @@ # $FreeBSD$ PORTNAME= krb5 -PORTVERSION= 1.17.1 +PORTVERSION= 1.18 CATEGORIES= security MASTER_SITES= http://web.mit.edu/kerberos/dist/${PORTNAME}/${PORTVERSION:C/^[0-9]*\.[0-9]*/&X/:C/X\.[0-9]*$//:C/X//}/ .if !defined(MASTERDIR) -PKGNAMESUFFIX= -117 +PKGNAMESUFFIX= -118 .endif PATCH_SITES= http://web.mit.edu/kerberos/advisories/ Modified: head/security/krb5-118/distinfo ============================================================================== --- head/security/krb5-117/distinfo Tue Feb 18 11:09:59 2020 (r526452) +++ head/security/krb5-118/distinfo Wed Feb 19 02:42:55 2020 (r526479) @@ -1,3 +1,3 @@ -TIMESTAMP = 1576180923 -SHA256 (krb5-1.17.1.tar.gz) = 3706d7ec2eaa773e0e32d3a87bf742ebaecae7d064e190443a3acddfd8afb181 -SIZE (krb5-1.17.1.tar.gz) = 8765399 +TIMESTAMP = 1582078242 +SHA256 (krb5-1.18.tar.gz) = 73913934d711dcf9d5f5605803578edb44b9a11786df3c1b2711f4e1752f2c88 +SIZE (krb5-1.18.tar.gz) = 8706395 Modified: head/security/krb5-118/files/patch-clients__ksu__Makefile.in ============================================================================== --- head/security/krb5-117/files/patch-clients__ksu__Makefile.in Tue Feb 18 11:09:59 2020 (r526452) +++ head/security/krb5-118/files/patch-clients__ksu__Makefile.in Wed Feb 19 02:42:55 2020 (r526479) @@ -3,7 +3,7 @@ @@ -1,6 +1,6 @@ mydir=clients$(S)ksu BUILDTOP=$(REL)..$(S).. --DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' +-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"' +DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/bin /bin /usr/sbin /sbin"' -DDEBUG KSU_LIBS=@KSU_LIBS@ Modified: head/security/krb5-118/pkg-plist ============================================================================== --- head/security/krb5-117/pkg-plist Tue Feb 18 11:09:59 2020 (r526452) +++ head/security/krb5-118/pkg-plist Wed Feb 19 02:42:55 2020 (r526479) @@ -23,6 +23,7 @@ bin/uuclient include/com_err.h include/gssapi.h include/gssapi/gssapi.h +include/gssapi/gssapi_alloc.h include/gssapi/gssapi_ext.h include/gssapi/gssapi_generic.h include/gssapi/gssapi_krb5.h @@ -80,15 +81,15 @@ lib/libk5crypto.so.3 lib/libk5crypto.so.3.1 lib/libkadm5clnt.so lib/libkadm5clnt_mit.so -lib/libkadm5clnt_mit.so.11 -lib/libkadm5clnt_mit.so.11.0 +lib/libkadm5clnt_mit.so.12 +lib/libkadm5clnt_mit.so.12.0 lib/libkadm5srv.so lib/libkadm5srv_mit.so -lib/libkadm5srv_mit.so.11 -lib/libkadm5srv_mit.so.11.0 +lib/libkadm5srv_mit.so.12 +lib/libkadm5srv_mit.so.12.0 lib/libkdb5.so -lib/libkdb5.so.9 -lib/libkdb5.so.9.0 +lib/libkdb5.so.10 +lib/libkdb5.so.10.0 lib/libkrb5.so lib/libkrb5.so.3 lib/libkrb5.so.3.3 Modified: head/security/krb5/Makefile ============================================================================== --- head/security/krb5/Makefile Tue Feb 18 22:57:12 2020 (r526478) +++ head/security/krb5/Makefile Wed Feb 19 02:42:55 2020 (r526479) @@ -1,7 +1,7 @@ # $FreeBSD$ -VERSIONS= 116 117 -KRB5_VERSION?= 117 +VERSIONS= 116 117 118 +KRB5_VERSION?= 118 MASTERDIR= ${.CURDIR}/../krb5-${KRB5_VERSION}
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202002190242.01J2gtbu063804>