1 Kerberos Version 5, Release 1.9
6 Copyright and Other Notices
7 ---------------------------
9 Copyright (C) 1985-2010 by the Massachusetts Institute of Technology
10 and its contributors. All rights reserved.
12 Please see the file named NOTICE for additional notices.
14 Building and Installing Kerberos 5
15 ----------------------------------
17 The first file you should look at is doc/install-guide.ps; it contains
18 the notes for building and installing Kerberos 5. The info file
19 krb5-install.info has the same information in info file format. You
20 can view this using the GNU emacs info-mode, or by using the
21 standalone info file viewer from the Free Software Foundation. This
22 is also available as an HTML file, install.html.
24 Other good files to look at are admin-guide.ps and user-guide.ps,
25 which contain the system administrator's guide, and the user's guide,
26 respectively. They are also available as info files
27 kerberos-admin.info and krb5-user.info, respectively. These files are
28 also available as HTML files.
30 If you are attempting to build under Windows, please see the
31 src/windows/README file.
36 Please report any problems/bugs/comments using the krb5-send-pr
37 program. The krb5-send-pr program will be installed in the sbin
38 directory once you have successfully compiled and installed Kerberos
39 V5 (or if you have installed one of our binary distributions).
41 If you are not able to use krb5-send-pr because you haven't been able
42 compile and install Kerberos V5 on any platform, you may send mail to
45 You may view bug reports by visiting
47 http://krbdev.mit.edu/rt/
49 and logging in as "guest" with password "guest".
54 The Data Encryption Standard (DES) is widely recognized as weak. The
55 krb5-1.7 release contains measures to encourage sites to migrate away
56 from using single-DES cryptosystems. Among these is a configuration
57 variable that enables "weak" enctypes, which defaults to "false"
58 beginning with krb5-1.8.
65 * Fix MITKRB5-SA-2010-007 checksum vulnerabilities (CVE-2010-1324 and others)
66 * Python-based testing framework
77 * Account lockout performance improvements -- allow disabling of some
78 account lockout functionality to reduce the number of write
79 operations to the database during authentication
81 Administrator experience:
83 * Trace logging -- for easier diagnosis of configuration problems
85 * Support for purging old keys (e.g. from "cpw -randkey -keepold")
87 * Plugin interface for password sync -- based on proposed patches by
88 Russ Allbery that support his krb5-sync package
90 * Plugin interface for password quality checks -- enables pluggable
91 password quality checks similar to Russ Allbery's krb5-strength
94 * Configuration file validator
96 * KDC support for SecurID preauthentication -- This is the old SAM-2
97 protocol, implemented to support existing deployments, not the
98 in-progress FAST-OTP work.
102 * IAKERB -- a mechanism for tunneling Kerberos KDC transactions over
103 GSS-API, enabling clients to authenticate to services even when the
104 clients cannot directly reach the KDC that serves the services.
106 * Camellia encryption (experimental; disabled by default)
108 krb5-1.9 changes by ticket ID
109 -----------------------------
111 1219 mechanism to delete old keys should exist
112 2032 No advanced warning of password expiry
113 5014 kadmin (and other utilities) should report enctypes as it takes them
114 6647 Memory leak in kdc
115 6672 Python test framework
116 6679 Lazy history key creation
117 6684 Simple kinit verbosity patch
118 6686 IPv6 support for kprop and kpropd
119 6688 mit-krb5-1.7 fails to compile against openssl-1.0.0
120 6699 Validate and renew should work on non-TGT creds
121 6700 Introduce new krb5_tkt_creds API
122 6712 Add IAKERB mechanism and gss_acquire_cred_with_password
123 6714 [patch] fix format errors in krb5-1.8.1
124 6715 cksum_body exports
125 6719 Add lockout-related performance tuning variables
126 6720 Negative enctypes improperly read from keytabs
127 6723 Negative enctypes improperly read from ccaches
128 6733 Make signedpath authdata visible via GSS naming exts
129 6736 Add krb5_enctype_to_name() API
131 6746 Make kadmin work over IPv6
132 6749 DAL improvements
133 6753 Fix XDR decoding of large values in xdr_u_int
134 6755 Add GIC option for password/account expiration callback
135 6758 Allow krb5_gss_register_acceptor_identity to unset keytab name
136 6760 Fail properly when profile can't be accessed
137 6761 add profile include support
138 6762 key expiration computed incorrectly in libkdb_ldap
139 6763 New plugin infrastructure
140 6765 Password quality pluggable interface
141 6769 clean up memory leak and potential unused variable in crypto tests
142 6771 Fix memory leaks in kdb5_verify
143 6772 Ensure valid key in krb5int_yarrow_cipher_encrypt_block
144 6774 pkinit client cert matching can be disrupted by one of the
146 6775 pkinit <KU> evaluation during certificate matching may fail
147 6776 Typos in src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
148 6777 Segmentation fault in krb library (sn2princ.c) if realm not resolved
149 6778 kdb: store mkey list in context and permit NULL mkey for
150 kdb_dbe_decrypt_key_data
151 6779 kinit: add KDB keytab support
152 6783 KDC worker processes feature
153 6784 relicense Sun RPC to 3-clause BSD-style
154 6785 Add gss_krb5_import_cred
155 6786 kpasswd: if a credential cache is present, use FAST
157 6791 kadm5_hook: new plugin interface
158 6792 Implement k5login_directory and k5login_authoritative options
159 6793 acquire_init_cred leaks interned name
160 6795 Propagate modprinc -unlock from master to slave KDCs
161 6796 segfault due to uninitialized variable in S4U
162 6799 Performance issue in LDAP policy fetch
163 6801 Fix leaks in get_init_creds interface
164 6802 copyright notice updates
165 6804 Remove KDC replay cache
166 6805 securID code fixes
167 6806 securID error handling fix
168 6807 SecurID build support
169 6809 gss_krb5int_make_seal_token_v3_iov fails to set conf_state
170 6810 Better libk5crypto NSS fork safety
171 6811 Mark Camellia-CCM code as experimental
172 6812 krb5_get_credentials should not fail due to inability to store
173 a credential in a cache
174 6815 Failed kdb5_util load removes real database
175 6819 Handle referral realm in kprop client principal
176 6820 Read KDC profile settings in kpropd
177 6822 Implement Camellia-CTS-CMAC instead of Camellia-CCM
178 6823 getdate.y: declare yyparse
179 6824 Export krb5_tkt_creds_get
180 6825 Add missing KRB5_CALLCONV in callback declaration
181 6826 Fix Windows build
182 6827 SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others)
183 6828 Install kadm5_hook_plugin.h
184 6829 Implement restrict_anonymous_to_tgt realm flag
185 6838 Regression in renewable handling
186 6839 handle MS PACs that lack server checksum
187 6840 typo in plugin-related error message
188 6841 memory leak in changepw.c
189 6842 Ensure time() is prototyped in g_accept_sec_context.c
194 Past and present Sponsors of the MIT Kerberos Consortium:
197 Carnegie Mellon University
201 The Department of Defense of the United States of America (DoD)
203 Iowa State University
205 Michigan State University
207 The National Aeronautics and Space Administration
208 of the United States of America (NASA)
209 Network Appliance (NetApp)
210 Nippon Telephone and Telegraph (NTT)
212 Pennsylvania State University
216 The University of Alaska
217 The University of Michigan
218 The University of Pennsylvania
220 Past and present members of the Kerberos Team at MIT:
273 The following external contributors have provided code, patches, bug
274 reports, suggestions, and valuable resources:
293 Christopher D. Clausen
317 Love Hörnquist Åstrand
330 Jan iankko Lieskovsky
364 The above is not an exhaustive list; many others have contributed in
365 various ways to the MIT Kerberos development effort over the years.
366 Other acknowledgments (for bug reports and patches) are in the