commit | da2ae114800ef1924e8d9e9a23088e4ba1365592 | [log] [tgz] |
---|---|---|
author | Colm O hEigeartaigh <coheigea@apache.org> | Fri Jul 27 12:21:31 2018 +0100 |
committer | Colm O hEigeartaigh <coheigea@apache.org> | Fri Jul 27 12:27:39 2018 +0100 |
tree | 267d6d84820da29c266fc444fac1b0d83daf99e0 | |
parent | 131afa7ad232b29b6157eeecee5ff1e44a6a3537 [diff] |
Upgrading Apache parent version
Apache Kerby, as an Apache Directory sub project, is a Java Kerberos binding. It provides a rich, intuitive and interoperable implementation, library, KDC and various facilities that integrates PKI, OTP and token (OAuth2) as desired in modern environments such as cloud, Hadoop and mobile.
A Krb client API for applications to interact with KDC.
Please look at kerb-client for details.
Server side admin facilities.
Please look at kerb-admin for details.
Kerberos Server API.
Please look at kerb-server for details.
A simplified Kdc server. It can be imported by other project to work as a kdc server.
Please look at kerb-simplekdc for details.
A model driven ASN-1 encoding and decoding framework implemented with Java.
Please look at kerby-asn1 for details.
Please look at Kerby KDC for details.
Similar to MIT krb5 encryption types:
Encryption Type | Description |
---|---|
des-cbc-crc | DES cbc mode with CRC-32 (weak) |
des-cbc-md4 | DES cbc mode with RSA-MD4 (weak) |
des-cbc-md5 | DES cbc mode with RSA-MD5 (weak) |
des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd | Triple DES cbc mode with HMAC/sha1 |
des-hmac-sha1 | DES with HMAC/sha1 (weak) |
aes256-cts-hmac-sha1-96 aes256-cts AES-256 | CTS mode with 96-bit SHA-1 HMAC |
aes128-cts-hmac-sha1-96 aes128-cts AES-128 | CTS mode with 96-bit SHA-1 HMAC |
arcfour-hmac rc4-hmac arcfour-hmac-md5 | RC4 with HMAC/MD5 |
arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp | Exportable RC4 with HMAC/MD5 (weak) |
camellia256-cts-cmac camellia256-cts | Camellia-256 CTS mode with CMAC |
camellia128-cts-cmac camellia128-cts | Camellia-128 CTS mode with CMAC |
des | The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak) |
des3 | The triple DES family: des3-cbc-sha1 |
aes | The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96 |
rc4 | The RC4 family: arcfour-hmac |
camellia | The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac |
A standalone KDC server that can integrate various identity backends including:
The Apache Kerby is also available as a Maven dependency.
<dependency> <groupId>org.apache.kerby</groupId> <artifactId>kerb-client-api-all</artifactId> <version>${kerby-version}</version> </dependency>
<dependency> <groupId>org.apache.kerby</groupId> <artifactId>kerb-server-api-all</artifactId> <version>${kerby-version}</version> </dependency>
<dependency> <groupId>org.apache.kerby</groupId> <artifactId>kerby-asn1</artifactId> <version>${kerby-version}</version> </dependency>
<dependency> <groupId>org.apache.kerby</groupId> <artifactId>kerb-simplekdc</artifactId> <version>${kerby-version}/version> </dependency>
Apache License V2.0
Bug
[DIRKRB-614] - Kerby (simplekdc) fails to handle unknown PADATA [DIRKRB-629] - ICMP Port Unreachable error message with GSS + default transport [DIRKRB-631] - Not compatible with MIT Kerberos 1.11+ [DIRKRB-633] - "Invalid signature file digest for Manifest main attributes" exception after running kinit tool [DIRKRB-634] - Failed to get service granting ticket from MIT KDC using Kerby client [DIRKRB-644] - ClassCastException in TokenPreauth [DIRKRB-645] - Start KerbyKdcServer should be failed if kdc_port already in use
Improvement
[DIRKRB-635] - Backends should be optional when building kerby [DIRKRB-641] - Implement kinit -k -i [DIRKRB-643] - Implement kinit -l -r [DIRKRB-646] - Add the feature of parsing time duration for kinit tool
New Feature
[DIRKRB-632] - Put claims from the JWT access token into the authorization data of the ticket
Sub-task
[DIRKRB-247] - Kerby's KDC supports MIT's kinit [DIRKRB-421] - Define transaction API for identity backend [DIRKRB-422] - Enhance json backend to support transaction for reasonable efficiency [DIRKRB-478] - Refine and enhance the client side library [DIRKRB-524] - XDR (RFC 4506) support
Bug
[DIRKRB-583] - Validate payload length declared in keytab [DIRKRB-584] - NPE if the token issuers value is not specified [DIRKRB-585] - Allow for optional expiry + NotBefore claims when processing a JWT token [DIRKRB-586] - NPE in KdcHandler on an Exception [DIRKRB-613] - Tests fails on systems with includedir in /etc/krb5.conf [DIRKRB-621] - 0x502 version keytab with multiple entries are not read properly [DIRKRB-624] - KdcServerTest failed with exception [DIRKRB-626] - Some improvement work for exception handling [DIRKRB-627] - Kerby hangs when the service principal is not known
Improvement
[DIRKRB-416] - Allow to support transaction for backend [DIRKRB-459] - Enhance the support for MIT krb5.conf configuration format [DIRKRB-482] - Break down KrbOption [DIRKRB-587] - Load JWT verification key from classpath as well [DIRKRB-588] - Support validation keys in different formats [DIRKRB-607] - Improve Simple KDC Server to be thread safe [DIRKRB-623] - Move the backend releated tests to backend modules
Task
[DIRKRB-155] - Add the missing Javadoc for kerby-asn1 module [DIRKRB-532] - Encode and decode XDR: Union and Struct
105 JIRA issues were resolved and with the following Features and important changes since 1.0.0-RC1: