1 Kerberos Version 5, Release 1.10
6 Copyright and Other Notices
7 ---------------------------
9 Copyright (C) 1985-2012 by the Massachusetts Institute of Technology
10 and its contributors. All rights reserved.
12 Please see the file named NOTICE for additional notices.
14 MIT Kerberos is a project of the MIT Kerberos Consortium. For more
15 information about the Kerberos Consortium, see http://kerberos.org/
17 For more information about the MIT Kerberos software, see
18 http://web.mit.edu/kerberos/
20 People interested in participating in the MIT Kerberos development
21 effort should visit http://k5wiki.kerberos.org/
23 Building and Installing Kerberos 5
24 ----------------------------------
26 The first file you should look at is doc/install-guide.ps; it contains
27 the notes for building and installing Kerberos 5. The info file
28 krb5-install.info has the same information in info file format. You
29 can view this using the GNU emacs info-mode, or by using the
30 standalone info file viewer from the Free Software Foundation. This
31 is also available as an HTML file, install.html.
33 Other good files to look at are admin-guide.ps and user-guide.ps,
34 which contain the system administrator's guide, and the user's guide,
35 respectively. They are also available as info files
36 kerberos-admin.info and krb5-user.info, respectively. These files are
37 also available as HTML files.
39 If you are attempting to build under Windows, please see the
40 src/windows/README file.
45 Please report any problems/bugs/comments using the krb5-send-pr
46 program. The krb5-send-pr program will be installed in the sbin
47 directory once you have successfully compiled and installed Kerberos
48 V5 (or if you have installed one of our binary distributions).
50 If you are not able to use krb5-send-pr because you haven't been able
51 compile and install Kerberos V5 on any platform, you may send mail to
54 Please keep in mind that unencrypted e-mail is not secure. If you need
55 to report a security vulnerability, or send sensitive information,
56 please PGP-encrypt it to krbcore-security@mit.edu.
58 You may view bug reports by visiting
60 http://krbdev.mit.edu/rt/
62 and logging in as "guest" with password "guest".
67 The Data Encryption Standard (DES) is widely recognized as weak. The
68 krb5-1.7 release contains measures to encourage sites to migrate away
69 from using single-DES cryptosystems. Among these is a configuration
70 variable that enables "weak" enctypes, which defaults to "false"
71 beginning with krb5-1.8.
73 Major changes in 1.10.2
74 -----------------------
76 This is a bugfix release.
78 * Fix an interop issue with Windows Server 2008 R2 Read-Only Domain
81 * Update a workaround for a glibc bug that would cause DNS PTR queries
82 to occur even when rdns = false.
84 * Fix a kadmind denial of service issue (null pointer dereference),
85 which could only be triggered by an administrator with the "create"
86 privilege. [CVE-2012-1013]
88 krb5-1.10.2 changes by ticket ID
89 --------------------------------
91 7095 Build system uses @localedir@ without requiring autoconf 2.60
92 7099 Decrypting history key entries can fail after 1.8 upgrade
93 7119 Preauth fails for second AS request in a krb5 context
94 7120 Use correct name-type in TGS-REQs for 2008R2 RODCs
95 7124 krb5_sname_to_principal canonicalization should work with
97 7127 Can't change password without default_realm
98 7136 S4U2Self using kvno broken in 1.10.1, but not in 1-9.3
99 7143 krb5_set_trace_filename not exported
100 7148 Export gss_mech_krb5_wrong from libgssapi_krb5
101 7152 Null pointer deref in kadmind [CVE-2012-1013]
103 Major changes in 1.10.1
104 -----------------------
106 This is a bugfix release.
108 * Fix access controls for KDB string attributes [CVE-2012-1012]
110 * Make the ASN.1 encoding of key version numbers interoperate with
111 Windows Read-Only Domain Controllers
113 * Avoid generating spurious password expiry warnings in cases where
114 the KDC sends an account expiry time without a password expiry time.
116 krb5-1.10.1 changes by ticket ID
117 --------------------------------
119 7074 workaround for Solaris 8 lacking isblank
120 7081 Don't use stack variable address in as_req state
121 7082 Various lookaside cache fixes
122 7084 Don't check mech in krb5_gss_inquire_cred_by_mech
123 7087 krb5_gss_get_name_attribute fails to set display_value
124 7088 Fix uninitialized variable warning in trval.c
125 7089 Initialize gss_get_name_attribute output buffers
126 7092 kvno ASN.1 encoding interop with Windows RODCs
127 7093 Access controls for string RPCs [CVE-2012-1012]
128 7096 Fix KDB iteration when callback does write calls
129 7098 Fix spurious password expiry warning
131 Major changes in 1.10
132 ---------------------
134 Additional background information on these changes may be found at
136 http://k5wiki.kerberos.org/wiki/Release_1.10
140 http://k5wiki.kerberos.org/wiki/Category:Release_1.10_projects
144 * Fix MITKRB5-SA-2011-006 and MITKRB5-SA-2011-007 KDC denial of
145 service vulnerabilities [CVE-2011-1527 CVE-2011-1528 CVE-2011-1529
148 * Update the Fortuna implementation to more accurately implement the
149 description in _Cryptography Engineering_, and make it the default
152 * Add an alternative PRNG that relies on the OS native PRNG.
154 Developer experience:
156 * Add the ability for GSSAPI servers to use any keytab key for a
157 specified service, if the server specifies a host-based name with no
160 * In the build system, identify the source files needed for
161 per-message processing within a kernel and ensure that they remain
164 * Allow rd_safe and rd_priv to ignore the remote address.
166 * Rework KDC and kadmind networking code to use an event loop
169 * Add a plugin interface for providing configuration information.
171 Administrator experience:
173 * Add more complete support for renaming principals.
175 * Add the profile variable ignore_acceptor_hostname in libdefaults. If
176 set, GSSAPI will ignore the hostname component of acceptor names
177 supplied by the server, allowing any keytab key matching the service
180 * Add support for string attributes on principal entries.
182 * Allow password changes to work over NATs.
186 * Add the DIR credential cache type, which can hold a collection of
189 * Enhance kinit, klist, and kdestroy to support credential cache
190 collections if the cache type supports it.
192 * Add the kswitch command, which changes the selected default cache
195 * Add heuristic support for choosing client credentials based on the
198 * Add support for $HOME/.k5identity, which allows credential choice
199 based on configured rules.
201 * Add support for localization. (No translations are provided in this
202 release, but the infrastructure is present for redistributors to
207 * Make PKINIT work with FAST in the client library.
209 krb5-1.10 changes by ticket ID
210 ------------------------------
212 6118 rename principals
213 6323 kadmin: rename support
214 6430 Avoid looping when preauth can't be generated
215 6617 uninitialized values used in mkey-migration code
216 6732 checks for openpty() aren't made using -lutil
217 6770 kg_unseal leads to overlap of source and desitination in memcpy...
218 6813 memory leak in gss_accept_sec_context
219 6814 Improve kdb5_util load locking and recovery
220 6816 potential memory leak in spnego
221 6817 potential null dereference in gss mechglue
222 6835 accept_sec_context RFC4121 support bug in 1.8.3
223 6851 pkinit can't parse some valid cms messages
224 6854 kadmin's ktremove can remove wrong entries when removing kvno 0
225 6855 Improve acceptor name flexibility
226 6857 missing ifdefs around IPv6 code
227 6858 Assume ELF on FreeBSD if objformat doesn't exist
228 6863 memory leak on SPNEGO error path
229 6868 Defer hostname lookups in krb5_sendto_kdc
230 6872 Fix memory leak in t_expire_warn
231 6874 Fortuna as default PRNG
232 6878 Add test script for user2user programs
233 6887 Use first principal in keytab when verifying creds
234 6890 Implement draft-josefsson-gss-capsulate
235 6891 Add gss_userok and gss_pname_to_uid
236 6892 Prevent bleed-through of mechglue symbols into loaded mechs
237 6893 error codes from error responses can be discarded when there's e-data
238 6894 More sensical mech selection for gss_acquire_cred/accept_sec_context
239 6895 gss_duplicate_name SPI for SPNEGO
240 6896 Allow anonymous name to be imported with empty name buffer
241 6897 Default principal name in the acceptor cred corresponds to
242 first entry in associated keytab.
243 6898 Set correct minor_status value in call to gss_display_status.
244 6902 S4U impersonated credential KRB5_CC_NOT_FOUND
245 6904 Install k5login(5) as well as .k5login(5)
246 6905 support poll() in sendto_kdc.c
248 6910 Account lockout policy parameters not documented
249 6911 Account lockout policy options time format
250 6914 krb5-1.9.1 static compile error +preliminary patch (fwd)
251 6915 klist -s trips over referral entries
252 6918 Localize user interface strings using gettext
253 6921 Convert preauth_plugin.h to new plugin framework
254 6922 Work around glibc getaddrinfo PTR lookups
255 6923 Use AI_ADDRCONFIG for more efficient getaddrinfo
256 6924 Fix multiple libkdb_ldap memory leaks
257 6927 chpass_util.c improvements
258 6928 use timegm() for krb5int_gmt_mktime() when available
259 6929 Pluggable configuration
260 6931 Add libedit/readline support to ss.
261 6933 blocking recv caused our server to hang
262 6934 don't require a default realm
263 6936 multiple mechanisms and spnego_gss_init_sec_context
264 6944 gss_acquire_cred erroneous failure and potential segfault for caller
265 6945 spnego_gss_acquire_cred_impersonate_name incorrect usage of
266 impersonator_cred_handle
267 6951 assertion failure when connections fail in service_fds()
268 6953 Add the DIR ccache type
269 6954 Add new cache collection APIs
270 6955 Remove unneeded cccol behaviors
271 6956 Add ccache collection support to tools
272 6957 Add krb5_cc_select() API and pluggable interface
273 6958 Make gss-krb5 use cache collection
274 6961 Support pkinit: SignedData with no signers (KDC)
275 6962 pkinit: client: Use SignedData for anonymous
276 6964 Support special salt type in default krb5_dbe_cpw.
277 6965 Remove CFLAGS and external deps from krb5-config --libs
278 6966 Eliminate domain-based client realm walk
279 6968 [PATCH] Man page fixes
280 6969 Create e_data as pa_data in KDC interfaces.
281 6971 Use type-safe callbacks in preauth interface
282 6974 Make krb5_pac_sign public
283 6975 Add PKINIT NSS support
284 6976 Hide gak_fct interface and arguments in clpreauth
285 6977 Install krb5/preauth_plugin.h
286 6978 Allow rd_priv/rd_safe without remote address
287 6979 Allow password changes over NATs
288 6980 Ensure termination in Windows vsnprintf wrapper
289 6981 SA-2011-006 KDC denial of service [CVE-2011-1527 CVE-2011-1528
291 6987 Fix krb5_cc_set_config
292 6988 Fix handling of null edata method in KDC preauth
293 6989 fix tar invocation in mkrel
294 6992 Make krb5_find_authdata public
295 6994 Fix intermediate key length in hmac-md5 checksum
296 6995 Initialize typed_e_data in as_req_state
297 6996 Make krb5_check_clockskew public
298 6997 don't build po/ if msgfmt is missing
299 6999 compile warnings, mininum version check for pkinit (NSS code paths)
300 7000 Exit on error in kadmind kprop child
301 7002 verto sshould have a pointer to upstream sources and be in NOTICE
302 7003 Fix month/year units in getdate
303 7006 Fix format string for TRACE_INIT_CREDS_SERVICE
304 7014 Fix com_err.h dependencies in gss-kernel-lib
305 7015 Add plugin interface_names entry for ccselect
306 7017 Simplify and fix kdcpreauth request_body callback
307 7018 Update verto to 0.2.2 release
308 7019 Make verto context available to kdcpreauth modules
309 7020 reading minor error message doesn't work for the IAKERB mech
310 7021 Fix failure interval of 0 in LDAP lockout code
311 7023 Clean up client-side preauth error data handling
313 7029 Fix --with-system-verto without pkg-config
314 7030 Ldap dependency for parallel builds
315 7033 krb5 1.10 KRB5_PADATA_ENC_TIMESTAMP isn't working
316 7034 mk_cred: memory management
317 7035 krb5_lcc_store() now ignores config credentials
318 7036 Fix free ofuninitialized memory in sname_to_princ
319 7037 Use LsaDeregisterLogonProcess(), not CloseHandle()
320 7038 Added support for loading of Krb5.ini from Windows APPDATA
321 7039 Handle TGS referrals to the same realm
322 7042 SA-2011-007 KDC null pointer deref in TGS handling [CVE-2011-1530]
323 7049 Fix subkey memory leak in krb5_get_credentials
324 7050 KfW changes for krb5-1.10
325 7051 krb5_server_decrypt_ticket_keytab wrongly succeeds
326 7053 Verify acceptor's mech in SPNEGO initiator
327 7055 Rename Table of Contents.hhc
328 7057 Krb5 1.9.x does not build on Solaris 8 - Implicit function
330 7060 Convert securid module edata method
331 7065 delete duplicate NOTICE file
332 7067 documentation license to CC-BY-SA 3.0 Unported
333 7077 LIBS should not include PKINIT_CRYPTO_IMPL_LIBS
334 7078 Use INSTALL_DATA to install message catalogues
339 Past and present Sponsors of the MIT Kerberos Consortium:
342 Carnegie Mellon University
346 The Department of Defense of the United States of America (DoD)
349 Iowa State University
351 Michigan State University
353 The National Aeronautics and Space Administration
354 of the United States of America (NASA)
355 Network Appliance (NetApp)
356 Nippon Telephone and Telegraph (NTT)
358 Pennsylvania State University
362 The University of Alaska
363 The University of Michigan
364 The University of Pennsylvania
366 Past and present members of the Kerberos Team at MIT:
421 The following external contributors have provided code, patches, bug
422 reports, suggestions, and valuable resources:
446 Christopher D. Clausen
477 Love Hörnquist Åstrand
491 Jan iankko Lieskovsky
541 The above is not an exhaustive list; many others have contributed in
542 various ways to the MIT Kerberos development effort over the years.
543 Other acknowledgments (for bug reports and patches) are in the