- Kerberos Version 5, Release 1.10
+ Kerberos Version 5, Release 1.20
Release Notes
The MIT Kerberos Team
Copyright and Other Notices
---------------------------
-Copyright (C) 1985-2012 by the Massachusetts Institute of Technology
+Copyright (C) 1985-2022 by the Massachusetts Institute of Technology
and its contributors. All rights reserved.
Please see the file named NOTICE for additional notices.
-MIT Kerberos is a project of the MIT Kerberos Consortium. For more
-information about the Kerberos Consortium, see http://kerberos.org/
+Documentation
+-------------
-For more information about the MIT Kerberos software, see
- http://web.mit.edu/kerberos/
+Unified documentation for Kerberos V5 is available in both HTML and
+PDF formats. The table of contents of the HTML format documentation
+is at doc/html/index.html, and the PDF format documentation is in the
+doc/pdf directory.
-People interested in participating in the MIT Kerberos development
-effort should visit http://k5wiki.kerberos.org/
+Additionally, you may find copies of the HTML format documentation
+online at
+
+ https://web.mit.edu/kerberos/krb5-latest/doc/
+
+for the most recent supported release, or at
+
+ https://web.mit.edu/kerberos/krb5-devel/doc/
+
+for the release under development.
+
+More information about Kerberos may be found at
+
+ https://web.mit.edu/kerberos/
+
+and at the MIT Kerberos Consortium web site
+
+ https://kerberos.org/
Building and Installing Kerberos 5
----------------------------------
-The first file you should look at is doc/install-guide.ps; it contains
-the notes for building and installing Kerberos 5. The info file
-krb5-install.info has the same information in info file format. You
-can view this using the GNU emacs info-mode, or by using the
-standalone info file viewer from the Free Software Foundation. This
-is also available as an HTML file, install.html.
+Build documentation is in doc/html/build/index.html or
+doc/pdf/build.pdf.
-Other good files to look at are admin-guide.ps and user-guide.ps,
-which contain the system administrator's guide, and the user's guide,
-respectively. They are also available as info files
-kerberos-admin.info and krb5-user.info, respectively. These files are
-also available as HTML files.
+The installation guide is in doc/html/admin/install.html or
+doc/pdf/install.pdf.
If you are attempting to build under Windows, please see the
src/windows/README file.
Reporting Bugs
--------------
-Please report any problems/bugs/comments using the krb5-send-pr
-program. The krb5-send-pr program will be installed in the sbin
-directory once you have successfully compiled and installed Kerberos
-V5 (or if you have installed one of our binary distributions).
-
-If you are not able to use krb5-send-pr because you haven't been able
-compile and install Kerberos V5 on any platform, you may send mail to
+Please report any problems/bugs/comments by sending email to
krb5-bugs@mit.edu.
-Please keep in mind that unencrypted e-mail is not secure. If you need
-to report a security vulnerability, or send sensitive information,
-please PGP-encrypt it to krbcore-security@mit.edu.
-
You may view bug reports by visiting
- http://krbdev.mit.edu/rt/
+https://krbdev.mit.edu/rt/
-and logging in as "guest" with password "guest".
+and using the "Guest Login" button. Please note that the web
+interface to our bug database is read-only for guests, and the primary
+way to interact with our bug database is via email.
-DES transition
+PAC transition
--------------
-The Data Encryption Standard (DES) is widely recognized as weak. The
-krb5-1.7 release contains measures to encourage sites to migrate away
-from using single-DES cryptosystems. Among these is a configuration
-variable that enables "weak" enctypes, which defaults to "false"
-beginning with krb5-1.8.
-
-Major changes in 1.10.2
------------------------
-
-This is a bugfix release.
-
-* Fix an interop issue with Windows Server 2008 R2 Read-Only Domain
- Controllers.
+Beginning with release 1.20, the KDC will include minimal PACs in
+tickets instead of AD-SIGNEDPATH authdata. S4U requests (protocol
+transition and constrained delegation) must now contain valid PACs in
+the incoming tickets. If only some KDCs in a realm have been upgraded
+across version 1.20, the upgraded KDCs will reject S4U requests
+containing tickets from non-upgraded KDCs and vice versa.
-* Update a workaround for a glibc bug that would cause DNS PTR queries
- to occur even when rdns = false.
+Triple-DES transition
+---------------------
-* Fix a kadmind denial of service issue (null pointer dereference),
- which could only be triggered by an administrator with the "create"
- privilege. [CVE-2012-1013]
+Beginning with the krb5-1.19 release, a warning will be issued if
+initial credentials are acquired using the des3-cbc-sha1 encryption
+type. In future releases, this encryption type will be disabled by
+default and eventually removed.
-krb5-1.10.2 changes by ticket ID
---------------------------------
+Beginning with the krb5-1.18 release, single-DES encryption types have
+been removed.
-7095 Build system uses @localedir@ without requiring autoconf 2.60
-7099 Decrypting history key entries can fail after 1.8 upgrade
-7119 Preauth fails for second AS request in a krb5 context
-7120 Use correct name-type in TGS-REQs for 2008R2 RODCs
-7124 krb5_sname_to_principal canonicalization should work with
- IPv6-only hosts
-7127 Can't change password without default_realm
-7136 S4U2Self using kvno broken in 1.10.1, but not in 1-9.3
-7143 krb5_set_trace_filename not exported
-7148 Export gss_mech_krb5_wrong from libgssapi_krb5
-7152 Null pointer deref in kadmind [CVE-2012-1013]
+Major changes in 1.20.1 (2022-11-15)
+------------------------------------
-Major changes in 1.10.1
------------------------
+This is a bug fix release.
-This is a bugfix release.
+* Fix integer overflows in PAC parsing [CVE-2022-42898].
-* Fix access controls for KDB string attributes [CVE-2012-1012]
+* Fix null deref in KDC when decoding invalid NDR.
-* Make the ASN.1 encoding of key version numbers interoperate with
- Windows Read-Only Domain Controllers
+* Fix memory leak in OTP kdcpreauth module.
-* Avoid generating spurious password expiry warnings in cases where
- the KDC sends an account expiry time without a password expiry time.
+* Fix PKCS11 module path search.
-krb5-1.10.1 changes by ticket ID
+krb5-1.20.1 changes by ticket ID
--------------------------------
-7074 workaround for Solaris 8 lacking isblank
-7081 Don't use stack variable address in as_req state
-7082 Various lookaside cache fixes
-7084 Don't check mech in krb5_gss_inquire_cred_by_mech
-7087 krb5_gss_get_name_attribute fails to set display_value
-7088 Fix uninitialized variable warning in trval.c
-7089 Initialize gss_get_name_attribute output buffers
-7092 kvno ASN.1 encoding interop with Windows RODCs
-7093 Access controls for string RPCs [CVE-2012-1012]
-7096 Fix KDB iteration when callback does write calls
-7098 Fix spurious password expiry warning
-
-Major changes in 1.10
----------------------
-
-Additional background information on these changes may be found at
+9061 Fix memory leak in SPAKE kdcpreauth module
+9062 Fix net-server.c when AI_NUMERICSERV is undefined
+9063 Fix memory leak in OTP kdcpreauth module
+9064 Free verto context later in KDC cleanup
+9065 Fix uncommon PKINIT memory leak
+9067 Fix PKCS11 module path search
+9073 Fix null deref in KDC when decoding invalid NDR
+9074 Fix integer overflows in PAC parsing
- http://k5wiki.kerberos.org/wiki/Release_1.10
+Major changes in 1.20 (2022-05-26)
+----------------------------------
-and
+Administrator experience:
- http://k5wiki.kerberos.org/wiki/Category:Release_1.10_projects
+* Added a "disable_pac" realm relation to suppress adding PAC authdata
+ to tickets, for realms which do not need to support S4U requests.
-Code quality:
+* Most credential cache types will use atomic replacement when a cache
+ is reinitialized using kinit or refreshed from the client keytab.
-* Fix MITKRB5-SA-2011-006 and MITKRB5-SA-2011-007 KDC denial of
- service vulnerabilities [CVE-2011-1527 CVE-2011-1528 CVE-2011-1529
- CVE-2011-1530].
+* kprop can now propagate databases with a dump size larger than 4GB,
+ if both the client and server are upgraded.
-* Update the Fortuna implementation to more accurately implement the
- description in _Cryptography Engineering_, and make it the default
- PRNG.
-
-* Add an alternative PRNG that relies on the OS native PRNG.
+* kprop can now work over NATs that change the destination IP address,
+ if the client is upgraded.
Developer experience:
-* Add the ability for GSSAPI servers to use any keytab key for a
- specified service, if the server specifies a host-based name with no
- hostname component.
-
-* In the build system, identify the source files needed for
- per-message processing within a kernel and ensure that they remain
- independent.
+* Updated the KDB interface. The sign_authdata() method is replaced
+ with the issue_pac() method, allowing KDB modules to add logon info
+ and other buffers to the PAC issued by the KDC.
-* Allow rd_safe and rd_priv to ignore the remote address.
-
-* Rework KDC and kadmind networking code to use an event loop
- architecture.
-
-* Add a plugin interface for providing configuration information.
-
-Administrator experience:
+* Host-based initiator names are better supported in the GSS krb5
+ mechanism.
-* Add more complete support for renaming principals.
-
-* Add the profile variable ignore_acceptor_hostname in libdefaults. If
- set, GSSAPI will ignore the hostname component of acceptor names
- supplied by the server, allowing any keytab key matching the service
- to be used.
-
-* Add support for string attributes on principal entries.
-
-* Allow password changes to work over NATs.
-
-End-user experience:
+Protocol evolution:
-* Add the DIR credential cache type, which can hold a collection of
- credential caches.
+* Replaced AD-SIGNEDPATH authdata with minimal PACs.
-* Enhance kinit, klist, and kdestroy to support credential cache
- collections if the cache type supports it.
+* To avoid spurious replay errors, password change requests will not
+ be attempted over UDP until the attempt over TCP fails.
-* Add the kswitch command, which changes the selected default cache
- within a collection.
+* PKINIT will sign its CMS messages with SHA-256 instead of SHA-1.
-* Add heuristic support for choosing client credentials based on the
- service realm.
+Code quality:
-* Add support for $HOME/.k5identity, which allows credential choice
- based on configured rules.
+* Updated all code using OpenSSL to be compatible with OpenSSL 3.
-* Add support for localization. (No translations are provided in this
- release, but the infrastructure is present for redistributors to
- supply them.)
+* Reorganized the libk5crypto build system to allow the OpenSSL
+ back-end to pull in material from the builtin back-end depending on
+ the OpenSSL version.
-Protocol evolution:
+* Simplified the PRNG logic to always use the platform PRNG.
-* Make PKINIT work with FAST in the client library.
+* Converted the remaining Tcl tests to Python.
-krb5-1.10 changes by ticket ID
+krb5-1.20 changes by ticket ID
------------------------------
-6118 rename principals
-6323 kadmin: rename support
-6430 Avoid looping when preauth can't be generated
-6617 uninitialized values used in mkey-migration code
-6732 checks for openpty() aren't made using -lutil
-6770 kg_unseal leads to overlap of source and desitination in memcpy...
-6813 memory leak in gss_accept_sec_context
-6814 Improve kdb5_util load locking and recovery
-6816 potential memory leak in spnego
-6817 potential null dereference in gss mechglue
-6835 accept_sec_context RFC4121 support bug in 1.8.3
-6851 pkinit can't parse some valid cms messages
-6854 kadmin's ktremove can remove wrong entries when removing kvno 0
-6855 Improve acceptor name flexibility
-6857 missing ifdefs around IPv6 code
-6858 Assume ELF on FreeBSD if objformat doesn't exist
-6863 memory leak on SPNEGO error path
-6868 Defer hostname lookups in krb5_sendto_kdc
-6872 Fix memory leak in t_expire_warn
-6874 Fortuna as default PRNG
-6878 Add test script for user2user programs
-6887 Use first principal in keytab when verifying creds
-6890 Implement draft-josefsson-gss-capsulate
-6891 Add gss_userok and gss_pname_to_uid
-6892 Prevent bleed-through of mechglue symbols into loaded mechs
-6893 error codes from error responses can be discarded when there's e-data
-6894 More sensical mech selection for gss_acquire_cred/accept_sec_context
-6895 gss_duplicate_name SPI for SPNEGO
-6896 Allow anonymous name to be imported with empty name buffer
-6897 Default principal name in the acceptor cred corresponds to
- first entry in associated keytab.
-6898 Set correct minor_status value in call to gss_display_status.
-6902 S4U impersonated credential KRB5_CC_NOT_FOUND
-6904 Install k5login(5) as well as .k5login(5)
-6905 support poll() in sendto_kdc.c
-6909 Kernel subset
-6910 Account lockout policy parameters not documented
-6911 Account lockout policy options time format
-6914 krb5-1.9.1 static compile error +preliminary patch (fwd)
-6915 klist -s trips over referral entries
-6918 Localize user interface strings using gettext
-6921 Convert preauth_plugin.h to new plugin framework
-6922 Work around glibc getaddrinfo PTR lookups
-6923 Use AI_ADDRCONFIG for more efficient getaddrinfo
-6924 Fix multiple libkdb_ldap memory leaks
-6927 chpass_util.c improvements
-6928 use timegm() for krb5int_gmt_mktime() when available
-6929 Pluggable configuration
-6931 Add libedit/readline support to ss.
-6933 blocking recv caused our server to hang
-6934 don't require a default realm
-6936 multiple mechanisms and spnego_gss_init_sec_context
-6944 gss_acquire_cred erroneous failure and potential segfault for caller
-6945 spnego_gss_acquire_cred_impersonate_name incorrect usage of
- impersonator_cred_handle
-6951 assertion failure when connections fail in service_fds()
-6953 Add the DIR ccache type
-6954 Add new cache collection APIs
-6955 Remove unneeded cccol behaviors
-6956 Add ccache collection support to tools
-6957 Add krb5_cc_select() API and pluggable interface
-6958 Make gss-krb5 use cache collection
-6961 Support pkinit: SignedData with no signers (KDC)
-6962 pkinit: client: Use SignedData for anonymous
-6964 Support special salt type in default krb5_dbe_cpw.
-6965 Remove CFLAGS and external deps from krb5-config --libs
-6966 Eliminate domain-based client realm walk
-6968 [PATCH] Man page fixes
-6969 Create e_data as pa_data in KDC interfaces.
-6971 Use type-safe callbacks in preauth interface
-6974 Make krb5_pac_sign public
-6975 Add PKINIT NSS support
-6976 Hide gak_fct interface and arguments in clpreauth
-6977 Install krb5/preauth_plugin.h
-6978 Allow rd_priv/rd_safe without remote address
-6979 Allow password changes over NATs
-6980 Ensure termination in Windows vsnprintf wrapper
-6981 SA-2011-006 KDC denial of service [CVE-2011-1527 CVE-2011-1528
- CVE-2011-1529]
-6987 Fix krb5_cc_set_config
-6988 Fix handling of null edata method in KDC preauth
-6989 fix tar invocation in mkrel
-6992 Make krb5_find_authdata public
-6994 Fix intermediate key length in hmac-md5 checksum
-6995 Initialize typed_e_data in as_req_state
-6996 Make krb5_check_clockskew public
-6997 don't build po/ if msgfmt is missing
-6999 compile warnings, mininum version check for pkinit (NSS code paths)
-7000 Exit on error in kadmind kprop child
-7002 verto sshould have a pointer to upstream sources and be in NOTICE
-7003 Fix month/year units in getdate
-7006 Fix format string for TRACE_INIT_CREDS_SERVICE
-7014 Fix com_err.h dependencies in gss-kernel-lib
-7015 Add plugin interface_names entry for ccselect
-7017 Simplify and fix kdcpreauth request_body callback
-7018 Update verto to 0.2.2 release
-7019 Make verto context available to kdcpreauth modules
-7020 reading minor error message doesn't work for the IAKERB mech
-7021 Fix failure interval of 0 in LDAP lockout code
-7023 Clean up client-side preauth error data handling
-7027 FAST PKINIT
-7029 Fix --with-system-verto without pkg-config
-7030 Ldap dependency for parallel builds
-7033 krb5 1.10 KRB5_PADATA_ENC_TIMESTAMP isn't working
-7034 mk_cred: memory management
-7035 krb5_lcc_store() now ignores config credentials
-7036 Fix free ofuninitialized memory in sname_to_princ
-7037 Use LsaDeregisterLogonProcess(), not CloseHandle()
-7038 Added support for loading of Krb5.ini from Windows APPDATA
-7039 Handle TGS referrals to the same realm
-7042 SA-2011-007 KDC null pointer deref in TGS handling [CVE-2011-1530]
-7049 Fix subkey memory leak in krb5_get_credentials
-7050 KfW changes for krb5-1.10
-7051 krb5_server_decrypt_ticket_keytab wrongly succeeds
-7053 Verify acceptor's mech in SPNEGO initiator
-7055 Rename Table of Contents.hhc
-7057 Krb5 1.9.x does not build on Solaris 8 - Implicit function
- declaration error
-7060 Convert securid module edata method
-7065 delete duplicate NOTICE file
-7067 documentation license to CC-BY-SA 3.0 Unported
-7077 LIBS should not include PKINIT_CRYPTO_IMPL_LIBS
-7078 Use INSTALL_DATA to install message catalogues
+7707 Credential cache API does not support atomic reinitialization
+8010 gss_store_cred should initialize ccache and work with collections
+8970 Wrong Encryption types shown in MIT Kerberos Ticket Manager on Windows
+8976 all-liblinks build target fails when symlinks not supported
+8977 Allow kprop over more types of NATs
+8978 Support host-based GSS initiator names
+8980 Add APIs for marshalling credentials
+8981 Documentation__krb5.conf
+8983 Infer name type when creating principals
+8988 Only require one valid pkinit anchor/pool value
+8990 Add KCM_OP_GET_CRED_LIST for faster iteration
+8991 Fix PKINIT memory leaks
+8994 Fix gss-krb5 handling of high sequence numbers
+8995 KCM interop issue with KRB5_TC_ flags
+8997 Use KCM_OP_RETRIEVE in KCM client
+8998 Simplify krb5_cccol_have_content()
+8999 Add additional KRB5_TRACE points
+9000 Fix multiple UPN handling in PKINIT client certs
+9002 Check for undefined kadm5 policy mask bits
+9003 Add duplicate check to kadm5_create_policy()
+9009 Update IRC pointer in resources.rst
+9010 Add MAXHOSTNAME guard in Windows public header
+9011 Fix some principal realm canonicalization cases
+9012 Allow kinit with keytab to defer canonicalization
+9013 Fix kadmin -k with fallback or referral realm
+9017 Clarify and correct interposer plugin docs
+9019 make check fails: OSError: AF_UNIX path too long
+9022 Potential integer overflows
+9024 Find gss_get_mic_iov extensions in GSS modules
+9025 Use version-independent OpenLDAP links in docs
+9027 Add OpenLDAP advice to princ_dns.rst
+9028 Constify name field in four plugin vtables
+9031 Fix verification of RODC-issued PAC KDC signature
+9032 Always use platform PRNG
+9034 Use builtin MD4, RC4 for OpenSSL 3.0
+9035 Avoid use after free during libkrad cleanup
+9036 Support larger RADIUS attributes in libkrad
+9037 Race condition in krb5_set_password()
+9038 Issue an error from KDC on S4U2Self failures
+9039 Fix PAC handling of authtimes after y2038
+9040 Use 14 instead of 9 for unkeyed SHA-1 checksum
+9041 Add PA-REDHAT-IDP-OAUTH2 padata type
+9042 Don't fail krb5_cc_select() for no default realm
+9043 Add PAC ticket signature APIs
+9044 Replace AD-SIGNEDPATH with minimal PACs
+9047 Avoid passing null for asprintf strings
+9048 Pass client flag to KDB for client preauth match
+9049 Add replace_reply_key kdcpreauth callback
+9050 Implement replaced_reply_key input to issue_pac()
+9051 Clarify certauth interface documentation
+9056 Fix iprop with fallback
+9060 Read GSS configuration files with mtime 0
Acknowledgements
----------------
-Past and present Sponsors of the MIT Kerberos Consortium:
+Past Sponsors of the MIT Kerberos Consortium:
Apple
Carnegie Mellon University
MIT
Michigan State University
Microsoft
+ MITRE Corporation
+ Morgan-Stanley
The National Aeronautics and Space Administration
of the United States of America (NASA)
Network Appliance (NetApp)
Nippon Telephone and Telegraph (NTT)
+ US Government Office of the National Coordinator for Health
+ Information Technology (ONC)
Oracle
Pennsylvania State University
Red Hat
John Carr
Mark Colan
Don Davis
+ Sarah Day
Alexandra Ellwood
Carlos Garay
Dan Geer
Eva Jacobus
Miroslav Jurisic
Barry Jaspan
+ Benjamin Kaduk
Geoffrey King
Kevin Koch
John Kohl
Zhanna Tsitkova
Ted Ts'o
Marshall Vale
- Tom Yu
+ Taylor Yu
The following external contributors have provided code, patches, bug
reports, suggestions, and valuable resources:
Ian Abbott
+ Daniel Albers
Brandon Allbery
Russell Allbery
Brian Almeida
Michael B Allen
+ Pooja Anil
+ Jeffrey Arbuckle
Heinz-Ado Arnolds
Derek Atkins
Mark Bannister
David Bantz
Alex Baule
+ Nikhil Benesch
+ David Benjamin
+ Thomas Bernard
Adam Bernstein
Arlene Berry
Jeff Blaine
+ Toby Blake
Radoslav Bodo
+ Alexander Bokovoy
+ Sumit Bose
Emmanuel Bouillon
+ Isaac Boukris
+ Ulf Bremer
+ Pavel Březina
+ Philip Brown
+ Samuel Cabrero
Michael Calmer
+ Andrea Campi
Julien Chaffraix
+ Puran Chand
Ravi Channavajhala
Srinivas Cheruku
Leonardo Chiquitto
+ Rachit Chokshi
+ Seemant Choudhary
Howard Chu
Andrea Cirulli
Christopher D. Clausen
Kevin Coffman
Simon Cooper
Sylvain Cortes
+ Ian Crowther
+ Arran Cudbard-Bell
+ Adam Dabrowski
+ Jeff D'Angelo
Nalin Dahyabhai
Mark Davies
Dennis Davis
+ Alex Dehnert
+ Misty De Meo
Mark Deneen
+ Günther Deschner
+ John Devitofranceschi
+ Marc Dionne
Roland Dowdeswell
+ Ken Dreyer
+ Dorian Ducournau
+ Viktor Dukhovni
Jason Edgecombe
Mark Eichin
Shawn M. Emery
Douglas E. Engert
Peter Eriksson
Juha Erkkilä
+ Gilles Espinasse
Ronni Feldt
Bill Fellows
JC Ferguson
+ Remi Ferrand
+ Paul Fertser
+ Fabiano Fidêncio
+ Frank Filz
William Fiveash
+ Jacques Florent
+ Oliver Freyermuth
Ákos Frohner
Sebastian Galiano
Marcus Granado
+ Dylan Gray
+ Norm Green
Scott Grizzard
Helmut Grohne
Steve Grubb
Philip Guenther
+ Timo Gurr
Dominic Hargreaves
+ Robbie Harwood
+ John Hascall
Jakob Haufe
+ Matthieu Hautreux
+ Jochen Hein
Paul B. Henson
+ Kihong Heo
Jeff Hodges
Christopher Hogan
Love Hörnquist Åstrand
Jakub Hrozek
Shumon Huque
Jeffrey Hutzelman
+ Sergey Ilinykh
Wyllys Ingersoll
Holger Isenberg
+ Spencer Jackson
+ Diogenes S. Jesus
+ Mike Jetzer
Pavel Jindra
+ Brian Johannesmeyer
Joel Johnson
+ Lutz Justen
+ Alexander Karaivanov
+ Anders Kaseorg
+ Bar Katz
+ Zentaro Kavanagh
+ Mubashir Kazia
W. Trevor King
+ Patrik Kis
+ Martin Kittel
+ Thomas Klausner
+ Tomasz Kłoczko
+ Matthew Krupcale
Mikkel Kruse
+ Reinhard Kugler
+ Harshawardhan Kulkarni
+ Tomas Kuthan
+ Pierre Labastie
+ Andreas Ladanyi
+ Chris Leick
Volker Lendecke
Jan iankko Lieskovsky
+ Todd Lipcon
+ Oliver Loch
+ Chris Long
Kevin Longfellow
+ Frank Lonigro
+ Jon Looney
+ Nuno Lopes
+ Todd Lubin
Ryan Lynch
+ Glenn Machin
+ Roland Mainz
+ Sorin Manolache
+ Robert Marshall
+ Andrei Maslennikov
+ Michael Mattioli
Nathaniel McCallum
Greg McClement
Cameron Meadors
+ Vipul Mehta
Alexey Melnikov
+ Ivan A. Melnikov
Franklyn Mendez
+ Mantas Mikulėnas
Markus Moeller
Kyle Moffett
Paul Moore
Keiichi Mori
Michael Morony
+ Sam Morris
Zbysek Mraz
Edward Murrell
+ Joshua Neuheisel
Nikos Nikoleris
+ Demi Obenour
Felipe Ortega
+ Michael Osipov
Andrej Ota
Dmitri Pal
Javier Palacios
+ Dilyan Palauzov
Tom Parker
+ Eric Pauly
+ Leonard Peirce
Ezra Peisach
+ Alejandro Perez
+ Zoran Pericic
W. Michael Petullo
Mark Phalan
+ Sharwan Ram
+ Brett Randall
Jonathan Reams
+ Jonathan Reed
Robert Relyea
+ Tony Reix
Martin Rex
+ Pat Riehecky
+ Julien Rische
Jason Rogers
+ Matt Rogers
+ Nate Rosenblum
+ Solly Ross
Mike Roszkowski
Guillaume Rousse
+ Joshua Schaeffer
+ Alexander Scheel
+ Jens Schleusener
+ Ryan Schmidt
+ Andreas Schneider
+ Paul Seyfert
Tom Shaw
+ Jim Shi
+ Jerry Shipman
Peter Shoults
+ Richard Silverman
+ Cel Skeggs
Simo Sorce
Michael Spang
Michael Ströder
Bjørn Tore Sund
+ Ondřej Surý
+ Joseph Sutton
+ Joe Travaglini
+ Sergei Trofimovich
+ Greg Troxel
+ Fraser Tweedale
+ Tim Uglow
Rathor Vipin
+ Denis Vlasenko
+ Thomas Wagner
Jorgen Wahlsten
Stef Walter
Max (Weijun) Wang
John Washington
+ Stef Walter
+ Xi Wang
+ Nehal J Wani
Kevin Wasserman
Margaret Wasserman
Marcus Watts
+ Andreas Wiese
Simon Wilkinson
Nicolas Williams
Ross Wilper
+ Augustin Wolf
+ Garrett Wollman
+ David Woodhouse
+ Tsu-Phong Wu
Xu Qiang
+ Neng Xue
+ Zhaomo Yang
+ Tianjiao Yin
+ Nickolai Zeldovich
+ Bean Zhang
Hanz van Zijst
+ Gertjan Zwartjes
The above is not an exhaustive list; many others have contributed in
various ways to the MIT Kerberos development effort over the years.