1 Kerberos Version 5, Release 1.17
6 Copyright and Other Notices
7 ---------------------------
9 Copyright (C) 1985-2019 by the Massachusetts Institute of Technology
10 and its contributors. All rights reserved.
12 Please see the file named NOTICE for additional notices.
17 Unified documentation for Kerberos V5 is available in both HTML and
18 PDF formats. The table of contents of the HTML format documentation
19 is at doc/html/index.html, and the PDF format documentation is in the
22 Additionally, you may find copies of the HTML format documentation
25 http://web.mit.edu/kerberos/krb5-latest/doc/
27 for the most recent supported release, or at
29 http://web.mit.edu/kerberos/krb5-devel/doc/
31 for the release under development.
33 More information about Kerberos may be found at
35 http://web.mit.edu/kerberos/
37 and at the MIT Kerberos Consortium web site
41 Building and Installing Kerberos 5
42 ----------------------------------
44 Build documentation is in doc/html/build/index.html or
47 The installation guide is in doc/html/admin/install.html or
50 If you are attempting to build under Windows, please see the
51 src/windows/README file.
56 Please report any problems/bugs/comments by sending email to
59 You may view bug reports by visiting
61 http://krbdev.mit.edu/rt/
63 and using the "Guest Login" button. Please note that the web
64 interface to our bug database is read-only for guests, and the primary
65 way to interact with our bug database is via email.
70 The Data Encryption Standard (DES) is widely recognized as weak. The
71 krb5-1.7 release contains measures to encourage sites to migrate away
72 from using single-DES cryptosystems. Among these is a configuration
73 variable that enables "weak" enctypes, which defaults to "false"
74 beginning with krb5-1.8.
76 Major changes in 1.17 (2019-01-08)
77 ----------------------------------
79 Administrator experience:
81 * A new Kerberos database module using the Lightning Memory-Mapped
82 Database library (LMDB) has been added. The LMDB KDB module should
83 be more performant and more robust than the DB2 module, and may
84 become the default module for new databases in a future release.
86 * "kdb5_util dump" will no longer dump policy entries when specific
87 principal names are requested.
91 * The new krb5_get_etype_info() API can be used to retrieve enctype,
92 salt, and string-to-key parameters from the KDC for a client
95 * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
96 principal names to be used with GSS-API functions.
98 * KDC and kadmind modules which call com_err() will now write to the
99 log file in a format more consistent with other log messages.
101 * Programs which use large numbers of memory credential caches should
106 * The SPAKE pre-authentication mechanism is now supported. This
107 mechanism protects against password dictionary attacks without
108 requiring any additional infrastructure such as certificates. SPAKE
109 is enabled by default on clients, but must be manually enabled on
110 the KDC for this release.
112 * PKINIT freshness tokens are now supported. Freshness tokens can
113 protect against scenarios where an attacker uses temporary access to
114 a smart card to generate authentication requests for the future.
116 * Password change operations now prefer TCP over UDP, to avoid
117 spurious error messages about replays when a response packet is
120 * The KDC now supports cross-realm S4U2Self requests when used with a
121 third-party KDB module such as Samba's. The client code for
122 cross-realm S4U2Self requests is also now more robust.
126 * The new ktutil addent -f flag can be used to fetch salt information
127 from the KDC for password-based keys.
129 * The new kdestroy -p option can be used to destroy a credential cache
130 within a collection by client principal name.
132 * The Kerberos man page has been restored, and documents the
133 environment variables that affect programs using the Kerberos
138 * Python test scripts now use Python 3.
140 * Python test scripts now display markers in verbose output, making it
141 easier to find where a failure occurred within the scripts.
143 * The Windows build system has been simplified and updated to work
144 with more recent versions of Visual Studio. A large volume of
145 unused Windows-specific code has been removed. Visual Studio 2013
146 or later is now required.
148 krb5-1.17 changes by ticket ID
149 ------------------------------
151 7905 Password changes can result in replay error
152 8202 memory ccache cursors are invalidated by initialize
153 8270 No logging when a non-root ksu with command fails authorization
154 8587 ktutil addent should be able to fetch etype-info2 for principal
155 8629 etype-info not included in hint list for REQUIRES_HW_AUTH principals
156 8630 Logging from KDC/kadmind plugin modules
157 8634 Trace log on k5tls load failure
158 8635 Fix a few German translation prepositions
159 8636 PKINIT certid option cannot handle leading zero
160 8641 Make public headers work with gcc -Wundef
161 8642 etype-info conflated for initial, final reply key enctype
162 8647 Add SPAKE preauth support
163 8648 Implement PKINIT freshness tokens
164 8650 Exit with status 0 from kadmind
165 8651 profile library may try to reread from special device files
166 8652 Report extended errors in kinit -k -t KDB:
167 8653 Include preauth name in trace output if possible
168 8654 Prevent fallback from SPAKE to encrypted timestamp
169 8655 Need per-realm client configuration to deny encrypted timestamp
170 8657 SPAKE support for Windows build
171 8659 SPAKE client asks for password before checking second-factor support
172 8661 ksu segfaults when argc == 0
173 8662 Windows README does not document MFC requirement
174 8663 TLS is not free on library unload
175 8664 Avoid simultaneous KDB/ulog locks in ulog_replay
176 8665 Display more extended errors in kdb5_util
177 8673 Improve error for kadmind -proponly without iprop
178 8674 Add LMDB KDB module
179 8677 Escape curly braces in def-check.pl regexes
180 8678 Don't specify MFC library in Leash build
181 8679 Fix Leash build error with recent Visual Studio
182 8680 Update kfw installer for VS2017, WiX 3.11.1
183 8682 Stop building CNS for Windows
184 8684 Fix option parsing on Windows
185 8685 Make plugin auto-registration work on Windows
186 8686 Process profile includedir in sorted order
187 8687 Repeated lookups of local computer name on Windows
188 8689 t_path.c build failure with NDEBUG
189 8690 Fix Windows strerror_r() implementation
190 8691 Use pkg.m4 macros
191 8692 Make docs build python3-compatible
192 8693 Resource leak in domain_fallback_realm()
193 8694 Add documentation on dictionary attacks
194 8695 Resource leak in krb5_524_conv_principal()
195 8696 Resource leak in krb5_425_conv_principal()
196 8697 Resource leak in krb5_gss_inquire_cred()
197 8698 Resource leak in aname_replacer()
198 8699 Resource leak in k5_os_hostaddr()
199 8700 Resource leak in krb5int_get_fq_local_hostname()
200 8702 Resource leak in kdb5_purge_mkeys()
201 8703 Resource leak in RPC UDP cache code
202 8704 Resource leak in read_secret_file()
203 8707 Resource leak in ulog_map()
204 8708 Incorrect error handling in OTP plugin
205 8709 Explicitly look for python2 in configure.in
206 8710 Convert Python tests to Python 3
207 8711 Use SHA-256 instead of MD5 for audit ticket IDs
208 8713 Zap copy of secret in RC4 string-to-key
209 8715 Make krb5kdc -p affect TCP ports
210 8716 Remove outdated note in krb5kdc man page
211 8718 krb5_get_credentials incorrectly matches user to user ticket
212 8719 Extend gss-sample timeout from 10s to 300s
213 8720 Don't include all MEMORY ccaches in collection
214 8721 Don't tag S4U2Proxy result creds as user-to-user
215 8722 Use a hash table for MEMORY ccache resolution
216 8723 Use PTHREAD_CFLAGS when testing for getpwnam_r()
217 8724 Add kdestroy -p option
218 8725 Update many documentation links to https
219 8726 Null deref on some invalid PKINIT identities
220 8727 Check strdup return in kadm5_get_config_params()
221 8728 doc: kswitch manual "see also" subsection typo
222 8729 Memory leak in gss_add_cred() creation case
223 8730 Add kvno option for user-to-user
224 8731 Document that DESTDIR must be an absolute path
225 8732 Fix name of .pdb file in ccapi/test/Makefile.in
226 8733 Multiple pkinit_identities semantics are unclear and perhaps not useful
227 8734 gss_add_cred() aliases memory when creating extended cred
228 8736 Check mech cred in gss_inquire_cred_by_mech()
229 8737 gss_add_cred() ignores desired_name if creating a new credential
230 8738 Use the term "replica KDC" in source and docs
231 8741 S4U2Self client code fails with no default realm
232 8742 Use "replica" in iprop settings
233 8743 Fix incorrect TRACE usages to use {str}
234 8744 KDC/kadmind may not follow master key change before purge_mkeys
235 8745 libss without readline can interfere with reading passwords
236 8746 Fix 64-bit Windows socket write error handling
237 8747 Allow referrals for cross-realm S4U2Self requests
238 8748 Add more constraints to S4U2Self processing
239 8749 Add PAC APIs which can include a client realm
240 8750 Resource leak in ktutil_add()
241 8751 Fix up kdb5_util documentation
242 8752 Don't dump policies if principals are specified
243 8753 Prevent SIGPIPE from socket writes on UNIX-likes
244 8754 Correct kpasswd_server description in krb5.conf(5)
245 8755 Bring back general kerberos man page
246 8756 Add GSS_KRB5_NT_ENTERPRISE_NAME name type
247 8757 Start S4U2Self realm lookup at server realm
248 8759 Resource leak in kadm5_randkey_principal_3()
249 8760 Retry KCM writes once on remote hangup
250 8762 Fix spelling of auth_to_local example
251 8763 Ignore password attributes for S4U2Self requests
252 8767 Remove incorrect KDC assertion
253 8768 Fix double-close in ksu get_authorized_princ_names
254 8769 Fix build issues with Solaris native compiler
259 Past Sponsors of the MIT Kerberos Consortium:
262 Carnegie Mellon University
266 The Department of Defense of the United States of America (DoD)
269 Iowa State University
271 Michigan State University
275 The National Aeronautics and Space Administration
276 of the United States of America (NASA)
277 Network Appliance (NetApp)
278 Nippon Telephone and Telegraph (NTT)
279 US Government Office of the National Coordinator for Health
280 Information Technology (ONC)
282 Pennsylvania State University
286 The University of Alaska
287 The University of Michigan
288 The University of Pennsylvania
290 Past and present members of the Kerberos Team at MIT:
347 The following external contributors have provided code, patches, bug
348 reports, suggestions, and valuable resources:
382 Christopher D. Clausen
395 John Devitofranceschi
433 Love Hörnquist Åstrand
463 Jan iankko Lieskovsky
556 The above is not an exhaustive list; many others have contributed in
557 various ways to the MIT Kerberos development effort over the years.
558 Other acknowledgments (for bug reports and patches) are in the