1 Kerberos Version 5, Release 1.20
6 Copyright and Other Notices
7 ---------------------------
9 Copyright (C) 1985-2022 by the Massachusetts Institute of Technology
10 and its contributors. All rights reserved.
12 Please see the file named NOTICE for additional notices.
17 Unified documentation for Kerberos V5 is available in both HTML and
18 PDF formats. The table of contents of the HTML format documentation
19 is at doc/html/index.html, and the PDF format documentation is in the
22 Additionally, you may find copies of the HTML format documentation
25 https://web.mit.edu/kerberos/krb5-latest/doc/
27 for the most recent supported release, or at
29 https://web.mit.edu/kerberos/krb5-devel/doc/
31 for the release under development.
33 More information about Kerberos may be found at
35 https://web.mit.edu/kerberos/
37 and at the MIT Kerberos Consortium web site
41 Building and Installing Kerberos 5
42 ----------------------------------
44 Build documentation is in doc/html/build/index.html or
47 The installation guide is in doc/html/admin/install.html or
50 If you are attempting to build under Windows, please see the
51 src/windows/README file.
56 Please report any problems/bugs/comments by sending email to
59 You may view bug reports by visiting
61 https://krbdev.mit.edu/rt/
63 and using the "Guest Login" button. Please note that the web
64 interface to our bug database is read-only for guests, and the primary
65 way to interact with our bug database is via email.
70 Beginning with release 1.20, the KDC will include minimal PACs in
71 tickets instead of AD-SIGNEDPATH authdata. S4U requests (protocol
72 transition and constrained delegation) must now contain valid PACs in
73 the incoming tickets. If only some KDCs in a realm have been upgraded
74 across version 1.20, the upgraded KDCs will reject S4U requests
75 containing tickets from non-upgraded KDCs and vice versa.
80 Beginning with the krb5-1.19 release, a warning will be issued if
81 initial credentials are acquired using the des3-cbc-sha1 encryption
82 type. In future releases, this encryption type will be disabled by
83 default and eventually removed.
85 Beginning with the krb5-1.18 release, single-DES encryption types have
88 Major changes in 1.20.1 (2022-11-15)
89 ------------------------------------
91 This is a bug fix release.
93 * Fix integer overflows in PAC parsing [CVE-2022-42898].
95 * Fix null deref in KDC when decoding invalid NDR.
97 * Fix memory leak in OTP kdcpreauth module.
99 * Fix PKCS11 module path search.
101 krb5-1.20.1 changes by ticket ID
102 --------------------------------
104 9061 Fix memory leak in SPAKE kdcpreauth module
105 9062 Fix net-server.c when AI_NUMERICSERV is undefined
106 9063 Fix memory leak in OTP kdcpreauth module
107 9064 Free verto context later in KDC cleanup
108 9065 Fix uncommon PKINIT memory leak
109 9067 Fix PKCS11 module path search
110 9073 Fix null deref in KDC when decoding invalid NDR
111 9074 Fix integer overflows in PAC parsing
113 Major changes in 1.20 (2022-05-26)
114 ----------------------------------
116 Administrator experience:
118 * Added a "disable_pac" realm relation to suppress adding PAC authdata
119 to tickets, for realms which do not need to support S4U requests.
121 * Most credential cache types will use atomic replacement when a cache
122 is reinitialized using kinit or refreshed from the client keytab.
124 * kprop can now propagate databases with a dump size larger than 4GB,
125 if both the client and server are upgraded.
127 * kprop can now work over NATs that change the destination IP address,
128 if the client is upgraded.
130 Developer experience:
132 * Updated the KDB interface. The sign_authdata() method is replaced
133 with the issue_pac() method, allowing KDB modules to add logon info
134 and other buffers to the PAC issued by the KDC.
136 * Host-based initiator names are better supported in the GSS krb5
141 * Replaced AD-SIGNEDPATH authdata with minimal PACs.
143 * To avoid spurious replay errors, password change requests will not
144 be attempted over UDP until the attempt over TCP fails.
146 * PKINIT will sign its CMS messages with SHA-256 instead of SHA-1.
150 * Updated all code using OpenSSL to be compatible with OpenSSL 3.
152 * Reorganized the libk5crypto build system to allow the OpenSSL
153 back-end to pull in material from the builtin back-end depending on
156 * Simplified the PRNG logic to always use the platform PRNG.
158 * Converted the remaining Tcl tests to Python.
160 krb5-1.20 changes by ticket ID
161 ------------------------------
163 7707 Credential cache API does not support atomic reinitialization
164 8010 gss_store_cred should initialize ccache and work with collections
165 8970 Wrong Encryption types shown in MIT Kerberos Ticket Manager on Windows
166 8976 all-liblinks build target fails when symlinks not supported
167 8977 Allow kprop over more types of NATs
168 8978 Support host-based GSS initiator names
169 8980 Add APIs for marshalling credentials
170 8981 Documentation__krb5.conf
171 8983 Infer name type when creating principals
172 8988 Only require one valid pkinit anchor/pool value
173 8990 Add KCM_OP_GET_CRED_LIST for faster iteration
174 8991 Fix PKINIT memory leaks
175 8994 Fix gss-krb5 handling of high sequence numbers
176 8995 KCM interop issue with KRB5_TC_ flags
177 8997 Use KCM_OP_RETRIEVE in KCM client
178 8998 Simplify krb5_cccol_have_content()
179 8999 Add additional KRB5_TRACE points
180 9000 Fix multiple UPN handling in PKINIT client certs
181 9002 Check for undefined kadm5 policy mask bits
182 9003 Add duplicate check to kadm5_create_policy()
183 9009 Update IRC pointer in resources.rst
184 9010 Add MAXHOSTNAME guard in Windows public header
185 9011 Fix some principal realm canonicalization cases
186 9012 Allow kinit with keytab to defer canonicalization
187 9013 Fix kadmin -k with fallback or referral realm
188 9017 Clarify and correct interposer plugin docs
189 9019 make check fails: OSError: AF_UNIX path too long
190 9022 Potential integer overflows
191 9024 Find gss_get_mic_iov extensions in GSS modules
192 9025 Use version-independent OpenLDAP links in docs
193 9027 Add OpenLDAP advice to princ_dns.rst
194 9028 Constify name field in four plugin vtables
195 9031 Fix verification of RODC-issued PAC KDC signature
196 9032 Always use platform PRNG
197 9034 Use builtin MD4, RC4 for OpenSSL 3.0
198 9035 Avoid use after free during libkrad cleanup
199 9036 Support larger RADIUS attributes in libkrad
200 9037 Race condition in krb5_set_password()
201 9038 Issue an error from KDC on S4U2Self failures
202 9039 Fix PAC handling of authtimes after y2038
203 9040 Use 14 instead of 9 for unkeyed SHA-1 checksum
204 9041 Add PA-REDHAT-IDP-OAUTH2 padata type
205 9042 Don't fail krb5_cc_select() for no default realm
206 9043 Add PAC ticket signature APIs
207 9044 Replace AD-SIGNEDPATH with minimal PACs
208 9047 Avoid passing null for asprintf strings
209 9048 Pass client flag to KDB for client preauth match
210 9049 Add replace_reply_key kdcpreauth callback
211 9050 Implement replaced_reply_key input to issue_pac()
212 9051 Clarify certauth interface documentation
213 9056 Fix iprop with fallback
214 9060 Read GSS configuration files with mtime 0
219 Past Sponsors of the MIT Kerberos Consortium:
222 Carnegie Mellon University
226 The Department of Defense of the United States of America (DoD)
229 Iowa State University
231 Michigan State University
235 The National Aeronautics and Space Administration
236 of the United States of America (NASA)
237 Network Appliance (NetApp)
238 Nippon Telephone and Telegraph (NTT)
239 US Government Office of the National Coordinator for Health
240 Information Technology (ONC)
242 Pennsylvania State University
246 The University of Alaska
247 The University of Michigan
248 The University of Pennsylvania
250 Past and present members of the Kerberos Team at MIT:
307 The following external contributors have provided code, patches, bug
308 reports, suggestions, and valuable resources:
350 Christopher D. Clausen
365 John Devitofranceschi
408 Love Hörnquist Åstrand
438 Harshawardhan Kulkarni
444 Jan iankko Lieskovsky
561 The above is not an exhaustive list; many others have contributed in
562 various ways to the MIT Kerberos development effort over the years.
563 Other acknowledgments (for bug reports and patches) are in the