On ma, 14 touko 2018, Robbie Harwood via FreeIPA-devel wrote:
Rob Crittenden <rcritten(a)redhat.com> writes:
> Robbie Harwood wrote:
>> Rob Crittenden via FreeIPA-devel <freeipa-devel(a)lists.fedorahosted.org>
>> writes:
>>
>>> Here are the draft release notes for the second pre-release of 4.7.0.
>>> Let me know if I've missed anything.
>>>
>>> The major new features of this release are:
>>> * Switch from using mod_nss for the Apache TLS engine to using mod_ssl.
>>> Upgrading will move the certificates and keys from /etc/httpd/alias to
>>> /var/lib/ipa/certs/.
>>> * Switch time client and server from ntp to chrony.
>>> * Switch from using authconfig to authselect to configure the PAM stack.
>>>
>>> === Robbie Harwood (2) ===
>>> * Move krb5 snippet into freeipa-client-common
>>> * Enable SPAKE support using krb5.conf.d snippet
>>
>> In my opinion, SPAKE support is a major feature, but I'm of course
>> biased and leave it to your discretion.
>
> Sure, tell me how you want it to read and I'll add it.
Configure the KDC to support SPAKE
(draft-ietf-kitten-krb-spake-preauth-05), which strengthens Kerberos
using elliptic curve cryptography for its handshake.
May be we can say a bit more:
- Kerberos clients can now use SPAKE to strengthen their handshake with
a FreeIPA KDC based on elliptic curve cryptography. See IETF draft
draft-ietf-kitten-krb-spake-preauth-05 and relevant portions of
krb5.conf(5) and kdc.conf(5) for details. SPAKE is enabled
for new IPA servers and clients by default.
I'd also add a note around translation improvements:
- Thanks to our translation volunteers, FreeIPA 4.6.90.pre2 sees a
major update for Chinese, French, Russian, and Ukrainian languages.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland