svn commit: r526479 - in head/security: . krb5 krb5-116 krb5-118 krb5-118/files
Cy Schubert
cy at FreeBSD.org
Wed Feb 19 02:42:57 UTC 2020
Author: cy
Date: Wed Feb 19 02:42:55 2020
New Revision: 526479
URL: https://svnweb.freebsd.org/changeset/ports/526479
Log:
Welcome the new KRB5 1.18 (krb5-118)
In addition, deprecate krb5-116 to retire one year after the release
of krb5-118: Feb 12, 2021.
Major changes in 1.18 (2020-02-12)
==================================
Administrator experience:
* Remove support for single-DES encryption types.
* Change the replay cache format to be more efficient and robust.
Replay cache filenames using the new format end with ".rcache2" by
default.
* setuid programs will automatically ignore environment variables that
normally affect krb5 API functions, even if the caller does not use
krb5_init_secure_context().
* Add an "enforce_ok_as_delegate" krb5.conf relation to disable
credential forwarding during GSSAPI authentication unless the KDC
sets the ok-as-delegate bit in the service ticket.
* Use the permitted_enctypes krb5.conf setting as the default value
for default_tkt_enctypes and default_tgs_enctypes.
Developer experience:
* Implement krb5_cc_remove_cred() for all credential cache types.
* Add the krb5_pac_get_client_info() API to get the client account
name from a PAC.
Protocol evolution:
* Add KDC support for S4U2Self requests where the user is identified
by X.509 certificate. (Requires support for certificate lookup from
a third-party KDB module.)
* Remove support for an old ("draft 9") variant of PKINIT.
* Add support for Microsoft NegoEx. (Requires one or more third-party
GSS modules implementing NegoEx mechanisms.)
* Honor the transited-policy-checked ticket flag on application
servers, eliminating the requirement to configure capaths on
servers in some scenarios.
User experience:
* Add support for "dns_canonicalize_hostname=fallback""`, causing
host-based principal names to be tried first without DNS
canonicalization, and again with DNS canonicalization if the
un-canonicalized server is not found.
* Expand single-component hostnames in host-based principal names when
DNS canonicalization is not used, adding the system's first DNS
search path as a suffix. Add a "qualify_shortname" krb5.conf
relation to override this suffix or disable expansion.
Code quality:
* The libkrb5 serialization code (used to export and import krb5 GSS
security contexts) has been simplified and made type-safe.
* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
messages has been revised to conform to current coding practices.
* The test suite has been modified to work with macOS System Integrity
Protection enabled.
* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11
support can always be tested.
Added:
head/security/krb5-118/
- copied from r526452, head/security/krb5-117/
Modified:
head/security/Makefile
head/security/krb5-116/Makefile
head/security/krb5-118/Makefile
head/security/krb5-118/distinfo
head/security/krb5-118/files/patch-clients__ksu__Makefile.in
head/security/krb5-118/pkg-plist
head/security/krb5/Makefile
Modified: head/security/Makefile
==============================================================================
--- head/security/Makefile Tue Feb 18 22:57:12 2020 (r526478)
+++ head/security/Makefile Wed Feb 19 02:42:55 2020 (r526479)
@@ -262,6 +262,7 @@
SUBDIR += krb5
SUBDIR += krb5-116
SUBDIR += krb5-117
+ SUBDIR += krb5-118
SUBDIR += krb5-appl
SUBDIR += krb5-devel
SUBDIR += kripp
Modified: head/security/krb5-116/Makefile
==============================================================================
--- head/security/krb5-116/Makefile Tue Feb 18 22:57:12 2020 (r526478)
+++ head/security/krb5-116/Makefile Wed Feb 19 02:42:55 2020 (r526479)
@@ -15,6 +15,9 @@ PATCH_DIST_STRIP= -p2
MAINTAINER= cy at FreeBSD.org
COMMENT= MIT implementation of RFC 4120 network authentication service
+DEPRECATED= EOL one year after the release of krb5 1.18
+EXPIRATION_DATE= 2021-02-12
+
LICENSE= MIT
CONFLICTS= heimdal-[0-9]* srp-[0-9]* krb5-11[3457]-[0-9]* \
Modified: head/security/krb5-118/Makefile
==============================================================================
--- head/security/krb5-117/Makefile Tue Feb 18 11:09:59 2020 (r526452)
+++ head/security/krb5-118/Makefile Wed Feb 19 02:42:55 2020 (r526479)
@@ -2,11 +2,11 @@
# $FreeBSD$
PORTNAME= krb5
-PORTVERSION= 1.17.1
+PORTVERSION= 1.18
CATEGORIES= security
MASTER_SITES= http://web.mit.edu/kerberos/dist/${PORTNAME}/${PORTVERSION:C/^[0-9]*\.[0-9]*/&X/:C/X\.[0-9]*$//:C/X//}/
.if !defined(MASTERDIR)
-PKGNAMESUFFIX= -117
+PKGNAMESUFFIX= -118
.endif
PATCH_SITES= http://web.mit.edu/kerberos/advisories/
Modified: head/security/krb5-118/distinfo
==============================================================================
--- head/security/krb5-117/distinfo Tue Feb 18 11:09:59 2020 (r526452)
+++ head/security/krb5-118/distinfo Wed Feb 19 02:42:55 2020 (r526479)
@@ -1,3 +1,3 @@
-TIMESTAMP = 1576180923
-SHA256 (krb5-1.17.1.tar.gz) = 3706d7ec2eaa773e0e32d3a87bf742ebaecae7d064e190443a3acddfd8afb181
-SIZE (krb5-1.17.1.tar.gz) = 8765399
+TIMESTAMP = 1582078242
+SHA256 (krb5-1.18.tar.gz) = 73913934d711dcf9d5f5605803578edb44b9a11786df3c1b2711f4e1752f2c88
+SIZE (krb5-1.18.tar.gz) = 8706395
Modified: head/security/krb5-118/files/patch-clients__ksu__Makefile.in
==============================================================================
--- head/security/krb5-117/files/patch-clients__ksu__Makefile.in Tue Feb 18 11:09:59 2020 (r526452)
+++ head/security/krb5-118/files/patch-clients__ksu__Makefile.in Wed Feb 19 02:42:55 2020 (r526479)
@@ -3,7 +3,7 @@
@@ -1,6 +1,6 @@
mydir=clients$(S)ksu
BUILDTOP=$(REL)..$(S)..
--DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
+-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"'
+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/bin /bin /usr/sbin /sbin"' -DDEBUG
KSU_LIBS=@KSU_LIBS@
Modified: head/security/krb5-118/pkg-plist
==============================================================================
--- head/security/krb5-117/pkg-plist Tue Feb 18 11:09:59 2020 (r526452)
+++ head/security/krb5-118/pkg-plist Wed Feb 19 02:42:55 2020 (r526479)
@@ -23,6 +23,7 @@ bin/uuclient
include/com_err.h
include/gssapi.h
include/gssapi/gssapi.h
+include/gssapi/gssapi_alloc.h
include/gssapi/gssapi_ext.h
include/gssapi/gssapi_generic.h
include/gssapi/gssapi_krb5.h
@@ -80,15 +81,15 @@ lib/libk5crypto.so.3
lib/libk5crypto.so.3.1
lib/libkadm5clnt.so
lib/libkadm5clnt_mit.so
-lib/libkadm5clnt_mit.so.11
-lib/libkadm5clnt_mit.so.11.0
+lib/libkadm5clnt_mit.so.12
+lib/libkadm5clnt_mit.so.12.0
lib/libkadm5srv.so
lib/libkadm5srv_mit.so
-lib/libkadm5srv_mit.so.11
-lib/libkadm5srv_mit.so.11.0
+lib/libkadm5srv_mit.so.12
+lib/libkadm5srv_mit.so.12.0
lib/libkdb5.so
-lib/libkdb5.so.9
-lib/libkdb5.so.9.0
+lib/libkdb5.so.10
+lib/libkdb5.so.10.0
lib/libkrb5.so
lib/libkrb5.so.3
lib/libkrb5.so.3.3
Modified: head/security/krb5/Makefile
==============================================================================
--- head/security/krb5/Makefile Tue Feb 18 22:57:12 2020 (r526478)
+++ head/security/krb5/Makefile Wed Feb 19 02:42:55 2020 (r526479)
@@ -1,7 +1,7 @@
# $FreeBSD$
-VERSIONS= 116 117
-KRB5_VERSION?= 117
+VERSIONS= 116 117 118
+KRB5_VERSION?= 118
MASTERDIR= ${.CURDIR}/../krb5-${KRB5_VERSION}
More information about the svn-ports-head
mailing list