diff options
| author | Tom Yu <tlyu@mit.edu> | 2009-01-31 04:00:10 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2009-01-31 04:00:10 +0000 |
| commit | 6603c22686c96cee259b82657b7e5597f021f1d5 (patch) | |
| tree | f1ca96d752dec367b80ced6c3b33c1e89a60c7c9 /README | |
| parent | f70d290faea0ed8a9e41553c56eb673bb1d08cb8 (diff) | |
| download | krb5-6603c22686c96cee259b82657b7e5597f021f1d5.tar.gz krb5-6603c22686c96cee259b82657b7e5597f021f1d5.tar.xz krb5-6603c22686c96cee259b82657b7e5597f021f1d5.zip | |
README and patchlevel.h for 1.7 release branch
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21852 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'README')
| -rw-r--r-- | README | 29 |
1 files changed, 28 insertions, 1 deletions
@@ -59,12 +59,34 @@ http://krbdev.mit.edu/rt/ and logging in as "guest" with password "guest". +DES transition +-------------- + +The Data Encryption Standard (DES) is widely recognized as weak. The +krb5-1.7 release will contain measures to encourage sites to migrate +away from using single-DES cryptosystems. Among these is a +configuration variable that enables "weak" enctypes, but will default +to "false" in the future. Depending on the outcome of ongoing +discussion on krbdev@mit.edu, this default could change prior to the +final release of krb5-1.7. + +Additional measures to ease the transition away from DES are planned +for the final krb5-1.7 release. + Major changes in 1.7 -------------------- * Remove support for version 4 of the Kerberos protocol (krb4). -* Client library now follows client principal referrals. +* New libdefaults configuration variable "allow_weak_crypto". NOTE: + Currently defaults to "false", but may default to "true" in a future + release. Setting this variable to "false" will have the effect of + removing weak enctypes (currently defined to be all single-DES + enctypes) from permitted_enctypes, default_tkt_enctypes, and + default_tgs_enctypes. + +* Client library now follows client principal referrals, for + compatibility with Windows. * KDC can issue realm referrals for service principals based on domain names. @@ -80,6 +102,11 @@ Major changes in 1.7 * DCE RPC, including three-leg GSS context setup and unencapsulated GSS tokens. +* NTLM recognition support in GSS-API, to facilitate dropping in an + NTLM implementation. + +* KDC support for principal aliases, if the back end supports them. + * Microsoft set/change password (RFC 3244) protocol in kadmind. * Master key rollover support. |