1 Kerberos Version 5, Release 1.3
6 Unpacking the Source Distribution
7 ---------------------------------
9 The source distribution of Kerberos 5 comes in a gzipped tarfile,
10 krb5-1.3.tar.gz. Instructions on how to extract the entire
13 If you have the GNU tar program and gzip installed, you can simply do:
15 gtar zxpf krb5-1.3.tar.gz
17 If you don't have GNU tar, you will need to get the FSF gzip
18 distribution and use gzcat:
20 gzcat krb5-1.3.tar.gz | tar xpf -
22 Both of these methods will extract the sources into krb5-1.3/src and
23 the documentation into krb5-1.3/doc.
25 Building and Installing Kerberos 5
26 ----------------------------------
28 The first file you should look at is doc/install-guide.ps; it contains
29 the notes for building and installing Kerberos 5. The info file
30 krb5-install.info has the same information in info file format. You
31 can view this using the GNU emacs info-mode, or by using the
32 standalone info file viewer from the Free Software Foundation. This
33 is also available as an HTML file, install.html.
35 Other good files to look at are admin-guide.ps and user-guide.ps,
36 which contain the system administrator's guide, and the user's guide,
37 respectively. They are also available as info files
38 kerberos-admin.info and krb5-user.info, respectively. These files are
39 also available as HTML files.
41 If you are attempting to build under Windows, please see the
42 src/windows/README file.
47 Please report any problems/bugs/comments using the krb5-send-pr
48 program. The krb5-send-pr program will be installed in the sbin
49 directory once you have successfully compiled and installed Kerberos
50 V5 (or if you have installed one of our binary distributions).
52 If you are not able to use krb5-send-pr because you haven't been able
53 compile and install Kerberos V5 on any platform, you may send mail to
56 You may view bug reports by visiting
58 http://krbdev.mit.edu/rt/
60 and logging in as "guest" with password "guest".
62 Notes, Major Changes, and Known Bugs for 1.3
63 --------------------------------------------
65 * We now install the compile_et program, so other packages can use the
66 installed com_err library with their own error tables. (If you use
67 our com_err code, that is; see below.)
69 * The header files we install now assume ANSI/ISO C ('89, not '99).
70 We have stopped testing on SunOS 4, even with gcc. Some of our code
71 now has C89-based assumptions, like free(NULL) being well defined,
72 that will probably frustrate any attempts to run this code under SunOS
73 4 or other pre-C89 systems.
75 * Some new code, bug fixes, and cleanup for IPv6 support. Most of the
76 code should support IPv6 transparently now. The RPC code (and
77 therefore the admin system, which is based on it) does not yet
78 support IPv6. The support for Kerberos 4 may work with IPv6 in very
79 limited ways, if the address checking is turned off. The FTP client
80 and server do not have support for the new protocol messages needed
81 for IPv6 support (RFC 2429).
83 * We have upgraded to autoconf 2.52 (or later), and the syntax for
84 specifying certain configuration options have changed. For example,
85 autoconf 2.52 configure scripts let you specify command-line options
86 like "configure CC=/some/path/foo-cc", so we have removed some of
87 our old options like --with-cc in favor of this approach.
89 * The client libraries can now use TCP to connect to the KDC. This
90 may be necessary when talking to Microsoft KDCs (domain controllers),
91 if they issue you tickets with lots of PAC data.
93 * If you have versions of the com_err, ss, or Berkeley DB packages
94 installed locally, you can use the --with-system-et,
95 --with-system-ss, and --with-system-db configure options to use them
96 rather than using the versions supplied here. Note that the
97 interfaces are assumed to be similar to those we supply; in
98 particular, some older, divergent versions of the com_err library
99 may not work with the krb5 sources. Many configure-time variables
100 can be used to help the compiler and linker find the installed
101 packages; see the build documentation for details.
103 We have not tested this change with version 4 of the Berkeley DB
106 * The AES cryptosystem has been implemented. However, support in the
107 Kerberos GSSAPI mechanism has not been written (or even fully
108 specified), so it's not fully enabled. See the documentation for
111 Major changes listed by ticket ID
112 ---------------------------------
114 * [492] PRNG breakage on 64-bit platforms no longer an issue due to
115 new PRNG implementation.
117 * [523] Client library is now compatible with the RC4-based
118 cryptosystem used by Windows 2000.
120 * [709] krb4 long lifetime support has been implemented.
122 * [880] krb5_gss_register_acceptor_identity() implemented (is called
123 gsskrb5_register_acceptor_identity() by Heimdal).
125 * [1087] ftpd no longer requires channel bindings, allowing easier use
126 of ftp from behind a NAT.
128 * [1156, 1209] It is now possible to use the system com_err to build
131 * [1174] TCP support added to client library.
133 * [1175] TCP support added to the KDC, but is disabled by default.
135 * [1176] autoconf-2.5x is now required by the build system.
137 * [1184] It is now possible to use the system Berkeley/Sleepycat DB
138 library to build this release.
140 * [1189, 1251] The KfM krb4 library source base has been merged.
142 * [1190] The default KDC master key type is now triple-DES. KDCs
143 being updated may need their config files updated if they are not
144 already specifying the master key type.
146 * [1190] The default ticket lifetime and default maximum renewable
147 ticket lifetime have been extended to one day and one week,
150 * [1191] A new script, k5srvutil, may be used to manipulate keytabs in
151 ways similar to the krb4 ksrvutil utility.
153 * [1281] The "fakeka" program, which emulates the AFS kaserver, has
154 been integrated. Thanks to Ken Hornstein.
156 * [1343] The KDC now defaults to not answering krb4 requests.
158 * [1344] Addressless tickets are requested by default now.
160 * [1372] There is no longer a need to create a special keytab for
161 kadmind. The legacy administration daemons "kadmind4" and
162 "v5passwdd" will still require a keytab, though.
164 * [1377, 1442, 1443] The Microsoft set-password protocol has been
165 implemented. Thanks to Paul Nelson.
167 * [1385, 1395, 1410] The krb4 protocol vulnerabilities
168 [MITKRB5-SA-2003-004] have been worked around. Note that this will
169 disable krb4 cross-realm functionality, as well as krb4 triple-DES
170 functionality. Please see doc/krb4-xrealm.txt for details of the
173 * [1393] The xdrmem integer overflows [MITKRB5-SA-2003-003] have
176 * [1397] The krb5_principal buffer bounds problems
177 [MITKRB5-SA-2003-005] have been fixed. Thanks to Nalin Dahyabhai.
179 * [1415] Subsession key negotiation has been fixed to allow for
180 server-selected subsession keys in the future.
182 * [1418, 1429, 1446, 1484, 1486, 1487, 1535] The AES cryptosystem has
183 been implemented. It is not usable for GSSAPI, though.
185 * [1491] The client-side functionality of the krb524 library has been
186 moved into the krb5 library.
188 * [1550] SRV record support exists for Kerberos v4.
190 * [1551] The heuristic for locating the Kerberos v4 KDC by prepending
191 "kerberos." to the realm name if no config file or DNS information
192 is available has been removed.
194 * [1568, 1067] A krb524 stub library is built on Windows.
196 Minor changes listed by ticket ID
197 ---------------------------------
199 * [90] default_principal_flags documented.
201 * [175] Docs refer to appropriate example domains/IPs now.
203 * [299] kadmin no longer complains about missing kdc.conf parameters
204 when it really means krb5.conf parameters.
206 * [318] Run-time load path for tcl is set now when linking test
209 * [443] --includedir honored now.
211 * [479] unused argument in try_krb4() in login.c deleted.
213 * [590] The des_read_pw_string() function in libdes425 has been
214 aligned with the original krb4 and CNS APIs.
216 * [608] login.krb5 handles SIGHUP more sanely now and thus avoids
217 getting the session into a weird state w.r.t. job control.
219 * [620] krb4 encrypted rcp should work a little better now. Thanks to
222 * [647] libtelnet/kerberos5.c no longer uses internal include files.
224 * [673] Weird echoing of admin password in kadmin client worked around
225 by not using buffered stdio calls to read passwords.
227 * [677] The build system has been reworked to allow the user to set
228 CFLAGS, LDFLAGS, CPPFLAGS, etc. reasonably.
230 * [680] Related to [673], rewrite krb5_prompter_posix() to no longer
231 use longjmp(), thus avoiding some bugs relating to non-restoration
232 of terminal settings.
234 * [697] login.krb5 no longer zeroes out the terminal window size.
236 * [710] decomp_ticket() in libkrb4 now looks up the local realm name
237 more correctly. Thanks to Booker Bense.
239 * [771] .rconf files are excluded from the release now.
241 * [772] LOG_AUTHPRIV syslog facility is now usable for logging on
242 systems that support it.
244 * [844] krshd now syslogs using the LOG_AUTH facility.
246 * [850] Berekely DB build is better integrated into the krb5 library
249 * [866] lib/krb5/os/localaddr.c and kdc/network.c use a common source
250 for local address enumeration now.
252 * [919] kdc/network.c problems relating to SIOCGIFCONF have been
255 * [922] An overflow in the string-to-time conversion routines has been
258 * [935] des-cbc-md4 now included in default enctypes.
260 * [939] A minor grammatical error has been fixed in a telnet client
263 * [953] des3 no longer failing on Windows due to SHA1 implementation
266 * [964] kdb_init_hist() no longer fails if master_key_enctype is not
267 in supported_enctypes.
269 * [970] A minor inconsistency in ccache.tex has been fixed.
271 * [971] option parsing bugs rendered irrelevant by removal of unused
274 * [986] Related to [677], problems with the ordering of LDFLAGS
275 initialization rendered irrelevant by use of native autoconf
278 * [992] Related to [677], quirks with --with-cc no longer relevant as
279 AC_PROG_CC is used instead now.
281 * [999] The kdc_default_options configuration variable is now honored.
282 Thanks to Emily Ratliff.
284 * [1006] Client library, as well as KDC, now perform reasonable
285 sorting of ETYPE-INFO preauthentication data.
287 * [1055] NULL pointer dereferences in code calling
288 krb5_change_password() have been fixed.
290 * [1063] Initial credentials acquisition failures related to client
291 host having a large number of local network interfaces should be
294 * [1064] Incorrect option parsing in the gssapi library is no longer
295 relevant due to removal of the "v2" mechanism.
297 * [1065, 1225] krb5_get_init_creds_password() should properly warn about
300 * [1066] printf() argument mismatches in rpc unit tests fixed.
302 * [1102] gssapi_generic.h should now work with C++.
304 * [1136] Some documentation for the setup of cross-realm
305 authentication has been added.
307 * [1164] krb5_auth_con_gen_addrs() now properly returns errno instead
308 of -1 if getpeername() fails.
310 * [1173] Address-less forwardable tickets will remain address-less
313 * [1178, 1228, 1244, 1246, 1249] Test suite has been stabilized
316 * [1188] As part of the modernization of our usage of autoconf,
317 AC_CONFIG_FILES is now used instead of passing a list of files to
320 * [1194] configure will no longer recurse out of the top of the source
321 tree when attempting to locate the top of the source tree.
323 * [1192] Documentation for the krb5 afs functionality of krb524d has
326 * [1195] Example krb5.conf file modified to include all enctypes
327 supported by the release.
329 * [1202] The KDC no longer rejects unrecognized flags.
331 * [1211] The ASN.1 code no longer passes (harmless) uninitialized
334 * [1212] libkadm5 now allows for persistent exclusive database locks.
336 * [1217] krb5_read_password() and des_read_password() are now
337 implemented via krb5_prompter_posix().
339 * [1224] For SAM challenges, omitted optional strings are no longer
340 encoded as zero-length strings.
342 * [1226] Client-side support for SAM hardware-based preauth
345 * [1229] The keytab search logic no longer fails prematurely if an
346 incorrect encryption type is found. Thanks to Wyllys Ingersoll.
348 * [1232] If the master KDC cannot be resolved, but a slave is
349 reachable, the client library now returns the real error from the
350 slave rather than the resolution failure from the master. Thanks to
353 * [1234] Assigned numbers for SAM preauth have been corrected.
354 sam-pk-for-sad implementation has been aligned.
356 * [1237] Profile-sharing optimizations from KfM have been merged.
358 * [1240] Windows calling conventions for krb5int_c_combine_keys() have
361 * [1242] Build system incompatibilities with Debian's chimeric
362 autoconf installation have been worked around.
364 * [1256] Incorrect sizes passed to memset() in combine_keys()
365 operations have been corrected.
367 * [1260] Client credential lookup now gets new service tickets in
368 preference to attempting to use expired ticketes. Thanks to Ben
371 * [1262, 1572] Sequence numbers are now unsigned; negative sequence
372 numbers will be accepted for the purposes of backwards
375 * [1263] A heuristic for matching the incorrectly encoded sequence
376 numbers emitted by Heimdal implementations has been written.
378 * [1284] kshd accepts connections by IPv6 now.
380 * [1292] kvno manpage title fixed.
382 * [1293] Source files no longer explicitly attempt to declare errno.
384 * [1304] kadmind4 no longer leaves sa_flags uninitialized.
386 * [1305] Expired tickets now cause KfM to pop up a password dialog.
388 * [1309] krb5_send_tgs() no longer leaks the storage associated with
391 * [1310] kadm5_get_either() no longer leaks regexp library memory.
393 * [1311] Output from krb5-config no longer contains spurious uses of
396 * [1324] The KDC no longer logs an inappropriate "no matching key"
397 error when an encrypted timestamp preauth password is incorrect.
399 * [1334] The KDC now returns a clockskew error when the timestamp in
400 the encrypted timestamp preauth is out of bounds, rather than just
401 returning a preauthentcation failure.
403 * [1342] gawk is no longer required for building kerbsrc.zip for the
406 * [1346] gss_krb5_ccache_name() no longer attempts to return a pointer
409 * [1351] The filename globbing vulnerability [CERT VU#258721] in the
410 ftp client's handling of filenames beginning with "|" or "-"
411 returned from the "mget" command has been fixed.
413 * [1352] GSS_C_PROT_READY_FLAG is no longer asserted inappropriately
414 during GSSAPI context establishment.
416 * [1356] krb5_gss_accept_sec_context() no longer attempts to validate
417 a null credential if one is passed in.
419 * [1362] The "-a user" option to telnetd now does the right thing.
420 Thanks to Nathan Neulinger.
422 * [1363] ksu no longer inappropriately syslogs to stderr.
424 * [1357] krb__get_srvtab_name() no longer leaks memory.
426 * [1373] Handling of SAM preauth no longer attempts to stuff a size_t
427 into an unsigned int.
429 * [1387] BIND versions later than 8 now supported.
431 * [1392] The getaddrinfo() wrapper should work better on AIX.
433 * [1400] If DO_TIME is not set in the auth_context, and no replay
434 cache is available, no replay cache will be used.
436 * [1406, 1108] libdb is no longer installed. If you installed
437 krb5-1.3-alpha1, you should ensure that no spurious libdb is left in
440 * [1412] ETYPE_INFO handling no longer goes into an infinite loop.
442 * [1414] libtelnet is now built using the same library build framework
443 as the rest of the tree.
445 * [1417] A minor memory leak in krb5_read_password() has been fixed.
447 * [1419] A memory leak in asn1_decode_kdc_req_body() has been fixed.
449 * [1435] inet_ntop() is now emulated when needed.
451 * [1439] krb5_free_pwd_sequences() now correctly frees the entire
452 sequence of elements.
454 * [1440] errno is no longer explicitly declared.
456 * [1441] kadmind should now return useful errors if an unrecognized
457 version is received in a changepw request.
459 * [1454, 1480, 1517, 1525] The etype-info2 preauth type is now
462 * [1459] (KfM/KLL internal) config file resolution can now be
463 prevented from accessing the user's homedir.
465 * [1463] Preauth handling in the KDC has been reorganized.
467 * [1470] Double-free in client-side preauth code fixed.
469 * [1473] Ticket forwarding when the TGS and the end service have
470 different enctypes should work somewhat better now.
472 * [1474] ASN.1 testsuite memory management has been cleaned up a
473 little to allow for memory leak checking.
475 * [1476] Documentation updated to reflect default krb4 mode.
477 * [1482] RFC-1964 OIDs now provided using the suggested symbolic
480 * [1483, 1528] KRB5_DEPRECATED is now false by default on all
483 * [1488] The KDC will now return integrity errors if a decryption
484 error is responsible for preauthentication failure.
486 * [1492] The autom4te.cache directories are now deleted from the
489 * [1501] Writable keytabs are registered by default.
491 * [1515] The check for cross-realm TGTs no longer reads past the end
494 * [1518] The kdc_default_options option is now actually honored.
496 * [1519] The changepw protocol implementation in kadmind now logs
499 * [1520] Documentation of OS-specific build options has been updated.
501 * [1536] A missing prototype for krb5_db_iterate_ext() has been
504 * [1537] An incorrect path to kdc.conf show in the kdc.conf manpage
507 * [1540] verify_as_reply() will only check the "renew-till" time
508 against the "till" time if the RENEWABLE is not set in the request.
510 * [1547] gssftpd no longer uses vfork(), as this was causing problems
513 * [1549] SRV records with a value of "." are now interpreted as a lack
514 of support for the protocol.
516 * [1553] The undocumented (and confusing!) kdc_supported_enctypes
517 kdc.conf variable is no longer used.
519 * [1560] Some spurious double-colons in password prompts have been
522 * [1571] The test suite tries a little harder to get a root shell.
524 * [1573] The KfM build process now sets localstatedir=/var/db.
526 * [1576, 1575] The client library no longer requests RENEWABLE_OK if
527 the renew lifetime is greater than the ticket lifetime.
529 * [1587] A more standard autoconf test to locate the C compiler allows
530 for gcc to be found by default without additional configuration
533 * [1593] Replay cache filenames are now escaped with hyphens, not
536 * [1598] MacOS 9 support removed from in-tree com_err.
538 * [1602] Fixed a memory leak in make_ap_req_v1(). Thanks to Kent Wu.
540 * [1604] Fixed a memory leak in krb5_gss_init_sec_context(), and an
541 uninitialized memory reference in kg_unseal_v1(). Thanks to Kent
544 * [1610] Fixed AES credential delegation under GSSAPI.
546 --[ DELETE BEFORE RELEASE ---changes to unreleased code, etc.--- ]--
548 * [1054] KRB-CRED messages for RC4 are encrypted now.
550 * [1177] krb5-1-2-2-branch merged onto trunk.
552 * [1193] Punted comment about reworking key storage architecture.
554 * [1208] install-headers target implemented.
556 * [1223] asn1_decode_oid, asn1_encode_oid implemented
558 * [1248] RC4 is explicitly excluded from combine_keys.
560 * [1276] Generated dependencies handle --without-krb4 properly now.
562 * [1339] An inadvertent change to the krb4 get_adm_hst API (strcpy vs
563 strncpy etc.) has been fixed.
565 * [1384, 1413] Use of autoconf-2.52 in util/reconf will now cause a
568 * [1388] DNS support is turned on in KfM.
570 * [1391] Fix kadmind startup failure with krb4 vuln patch.
572 * [1409] get_ad_tkt() now prompts for password if there are no tickets
575 * [1447] vts_long() and vts_short() work now.
577 * [1462] KfM adds exports of set_pw calls.
579 * [1477] compile_et output not used in err_txt.c.
581 * [1495] KfM now exports string_to_key_with_params.
583 * [1512, 1522] afs_string_to_key now works with etype_info2.
585 * [1514] krb5int_populate_gic_opt returns void now.
587 * [1521] Using an afs3 salt for an AES key no longer causes
590 * [1533] krb524.h no longer contains invalid Mac pragmas.
592 * [1546] krb_mk_req_creds() no longer zeros the session key.
594 * [1554] The krb4 string-to-key iteration now accounts correctly for
595 the decrypt-in-place semantics of libdes425.
597 * [1557] KerberosLoginPrivate.h is now correctly included for the use
598 of __KLAllowHomeDirectoryAccess() in init_os_ctx.c (for KfM).
600 * [1558] KfM exports the new krb524 interface.
602 * [1563] krb__get_srvtaname() no longer returns a pointer that is
603 free()d upon a subsequent call.
605 * [1569] A debug statement has been removed from krb524init.
607 * [1594] Darwin gets an explicit dependency of err_txt.o on
610 * [1596] Calling conventions, etc. tweaked for KfW build of
613 * [1605] Fixed a leak of subkeys in krb5_rd_rep().
615 Copyright Notice and Legal Administrivia
616 ----------------------------------------
618 Copyright (C) 1985-2003 by the Massachusetts Institute of Technology.
622 Export of this software from the United States of America may require
623 a specific license from the United States Government. It is the
624 responsibility of any person or organization contemplating export to
625 obtain such a license before exporting.
627 WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
628 distribute this software and its documentation for any purpose and
629 without fee is hereby granted, provided that the above copyright
630 notice appear in all copies and that both that copyright notice and
631 this permission notice appear in supporting documentation, and that
632 the name of M.I.T. not be used in advertising or publicity pertaining
633 to distribution of the software without specific, written prior
634 permission. Furthermore if you modify this software you must label
635 your software as modified software and not distribute it in such a
636 fashion that it might be confused with the original MIT software.
637 M.I.T. makes no representations about the suitability of this software
638 for any purpose. It is provided "as is" without express or implied
641 THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
642 IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
643 WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
645 Individual source code files are copyright MIT, Cygnus Support,
646 OpenVision, Oracle, Sun Soft, FundsXpress, and others.
648 Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira,
649 and Zephyr are trademarks of the Massachusetts Institute of Technology
650 (MIT). No commercial use of these trademarks may be made without
651 prior written permission of MIT.
653 "Commercial use" means use of a name in a product or other for-profit
654 manner. It does NOT prevent a commercial firm from referring to the
655 MIT trademarks in order to convey information (although in doing so,
656 recognition of their trademark status should be given).
660 The following copyright and permission notice applies to the
661 OpenVision Kerberos Administration system located in kadmin/create,
662 kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions
665 Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved
667 WARNING: Retrieving the OpenVision Kerberos Administration system
668 source code, as described below, indicates your acceptance of the
669 following terms. If you do not agree to the following terms, do not
670 retrieve the OpenVision Kerberos administration system.
672 You may freely use and distribute the Source Code and Object Code
673 compiled from it, with or without modification, but this Source
674 Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY,
675 INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR
676 FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER
677 EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY
678 FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF
679 SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR
680 CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING,
681 WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE
682 CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY
685 OpenVision retains all copyrights in the donated Source Code. OpenVision
686 also retains copyright to derivative works of the Source Code, whether
687 created by OpenVision or by a third party. The OpenVision copyright
688 notice must be preserved if derivative works are made based on the
691 OpenVision Technologies, Inc. has donated this Kerberos
692 Administration system to MIT for inclusion in the standard
693 Kerberos 5 distribution. This donation underscores our
694 commitment to continuing Kerberos technology development
695 and our gratitude for the valuable work which has been
696 performed by MIT and the Kerberos community.
700 Portions contributed by Matt Crawford <crawdad@fnal.gov> were
701 work performed at Fermi National Accelerator Laboratory, which is
702 operated by Universities Research Association, Inc., under
703 contract DE-AC02-76CHO3000 with the U.S. Department of Energy.
705 ---- The implementation of the Yarrow pseudo-random number generator
706 in src/lib/crypto/yarrow has the following copyright:
708 Copyright 2000 by Zero-Knowledge Systems, Inc.
710 Permission to use, copy, modify, distribute, and sell this software
711 and its documentation for any purpose is hereby granted without fee,
712 provided that the above copyright notice appear in all copies and that
713 both that copyright notice and this permission notice appear in
714 supporting documentation, and that the name of Zero-Knowledge Systems,
715 Inc. not be used in advertising or publicity pertaining to
716 distribution of the software without specific, written prior
717 permission. Zero-Knowledge Systems, Inc. makes no representations
718 about the suitability of this software for any purpose. It is
719 provided "as is" without express or implied warranty.
721 ZERO-KNOWLEDGE SYSTEMS, INC. DISCLAIMS ALL WARRANTIES WITH REGARD TO
722 THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
723 FITNESS, IN NO EVENT SHALL ZERO-KNOWLEDGE SYSTEMS, INC. BE LIABLE FOR
724 ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
725 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
726 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT
727 OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
729 ---- The implementation of the AES encryption algorithm in
730 src/lib/crypto/aes has the following copyright:
732 Copyright (c) 2001, Dr Brian Gladman <brg@gladman.uk.net>, Worcester, UK.
737 The free distribution and use of this software in both source and binary
738 form is allowed (with or without changes) provided that:
740 1. distributions of this source code include the above copyright
741 notice, this list of conditions and the following disclaimer;
743 2. distributions in binary form include the above copyright
744 notice, this list of conditions and the following disclaimer
745 in the documentation and/or other associated materials;
747 3. the copyright holder's name is not used to endorse products
748 built using this software without specific written permission.
752 This software is provided 'as is' with no explcit or implied warranties
753 in respect of any properties, including, but not limited to, correctness
754 and fitness for purpose.
761 Appreciation Time!!!! There are far too many people to try to thank
762 them all; many people have contributed to the development of Kerberos
763 V5. This is only a partial listing....
765 Thanks to Paul Vixie and the Internet Software Consortium for funding
766 the work of Barry Jaspan. This funding was invaluable for the OV
767 administration server integration, as well as the 1.0 release
770 Thanks to John Linn, Scott Foote, and all of the folks at OpenVision
771 Technologies, Inc., who donated their administration server for use in
772 the MIT release of Kerberos.
774 Thanks to Jeff Bigler, Mark Eichin, Marc Horowitz, Nancy Gilman, Ken
775 Raeburn, and all of the folks at Cygnus Support, who provided
776 innumerable bug fixes and portability enhancements to the Kerberos V5
777 tree. Thanks especially to Jeff Bigler, for the new user and system
778 administrator's documentation.
780 Thanks to Doug Engert from ANL for providing many bug fixes, as well
781 as testing to ensure DCE interoperability.
783 Thanks to Ken Hornstein at NRL for providing many bug fixes and
784 suggestions, and for working on SAM preauthentication.
786 Thanks to Matt Crawford at FNAL for bugfixes and enhancements.
788 Thanks to Sean Mullan and Bill Sommerfeld from Hewlett Packard for
789 their many suggestions and bug fixes.
791 Thanks to Nalin Dahyabhai of RedHat and Chris Evans for locating and
792 providing patches for numerous buffer overruns.
794 Thanks to Christopher Thompson and Marcus Watts for discovering the
797 Thanks to Paul Nelson of Thursby Software Systems for implementing the
798 Microsoft set password protocol.
800 Thanks to the members of the Kerberos V5 development team at MIT, both
801 past and present: Danilo Almeida, Jay Berkenbilt, Richard Basch, Mitch
802 Berger, John Carr, Don Davis, Alexandra Ellwood, Nancy Gilman, Matt
803 Hancher, Sam Hartman, Paul Hill, Marc Horowitz, Eva Jacobus, Miroslav
804 Jurisic, Barry Jaspan, Geoffrey King, John Kohl, Peter Litwack, Scott
805 McGuire, Kevin Mitchell, Cliff Neuman, Paul Park, Ezra Peisach, Chris
806 Provenzano, Ken Raeburn, Jon Rochlis, Jeff Schiller, Jen Selby, Brad
807 Thompson, Harry Tsai, Ted Ts'o, Marshall Vale, Tom Yu.