1 Kerberos Version 5, Release 1.9
6 Copyright and Other Notices
7 ---------------------------
9 Copyright (C) 1985-2010 by the Massachusetts Institute of Technology
10 and its contributors. All rights reserved.
12 Please see the file named NOTICE for additional notices.
14 Building and Installing Kerberos 5
15 ----------------------------------
17 The first file you should look at is doc/install-guide.ps; it contains
18 the notes for building and installing Kerberos 5. The info file
19 krb5-install.info has the same information in info file format. You
20 can view this using the GNU emacs info-mode, or by using the
21 standalone info file viewer from the Free Software Foundation. This
22 is also available as an HTML file, install.html.
24 Other good files to look at are admin-guide.ps and user-guide.ps,
25 which contain the system administrator's guide, and the user's guide,
26 respectively. They are also available as info files
27 kerberos-admin.info and krb5-user.info, respectively. These files are
28 also available as HTML files.
30 If you are attempting to build under Windows, please see the
31 src/windows/README file.
36 Please report any problems/bugs/comments using the krb5-send-pr
37 program. The krb5-send-pr program will be installed in the sbin
38 directory once you have successfully compiled and installed Kerberos
39 V5 (or if you have installed one of our binary distributions).
41 If you are not able to use krb5-send-pr because you haven't been able
42 compile and install Kerberos V5 on any platform, you may send mail to
45 You may view bug reports by visiting
47 http://krbdev.mit.edu/rt/
49 and logging in as "guest" with password "guest".
54 The Data Encryption Standard (DES) is widely recognized as weak. The
55 krb5-1.7 release contains measures to encourage sites to migrate away
56 from using single-DES cryptosystems. Among these is a configuration
57 variable that enables "weak" enctypes, which defaults to "false"
58 beginning with krb5-1.8.
65 * Python-based testing framework
76 * Account lockout performance improvements
78 Administrator experience:
81 * Plugin interface for password sync
82 * Plugin interface for password quality checks
83 * Configuration file validator
84 * KDC support for SecurID preauthentication
89 * Camellia encryption (experimental; disabled by default)
91 krb5-1.9 changes by ticket ID
92 -----------------------------
94 1219 mechanism to delete old keys should exist
95 2032 No advanced warning of password expiry
96 5014 kadmin (and other utilities) should report enctypes as it takes them
97 6647 Memory leak in kdc
98 6672 Python test framework
99 6679 Lazy history key creation
100 6684 Simple kinit verbosity patch
101 6686 IPv6 support for kprop and kpropd
102 6688 mit-krb5-1.7 fails to compile against openssl-1.0.0
103 6699 Validate and renew should work on non-TGT creds
104 6700 Introduce new krb5_tkt_creds API
105 6712 Add IAKERB mechanism and gss_acquire_cred_with_password
106 6714 [patch] fix format errors in krb5-1.8.1
107 6715 cksum_body exports
108 6719 Add lockout-related performance tuning variables
109 6720 Negative enctypes improperly read from keytabs
110 6723 Negative enctypes improperly read from ccaches
111 6733 Make signedpath authdata visible via GSS naming exts
112 6736 Add krb5_enctype_to_name() API
114 6746 Make kadmin work over IPv6
115 6749 DAL improvements
116 6753 Fix XDR decoding of large values in xdr_u_int
117 6755 Add GIC option for password/account expiration callback
118 6758 Allow krb5_gss_register_acceptor_identity to unset keytab name
119 6760 Fail properly when profile can't be accessed
120 6761 add profile include support
121 6762 key expiration computed incorrectly in libkdb_ldap
122 6763 New plugin infrastructure
123 6765 Password quality pluggable interface
124 6769 clean up memory leak and potential unused variable in crypto tests
125 6771 Fix memory leaks in kdb5_verify
126 6772 Ensure valid key in krb5int_yarrow_cipher_encrypt_block
127 6774 pkinit client cert matching can be disrupted by one of the
129 6775 pkinit <KU> evaluation during certificate matching may fail
130 6776 Typos in src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
131 6777 Segmentation fault in krb library (sn2princ.c) if realm not resolved
132 6778 kdb: store mkey list in context and permit NULL mkey for
133 kdb_dbe_decrypt_key_data
134 6779 kinit: add KDB keytab support
135 6783 KDC worker processes feature
136 6784 relicense Sun RPC to 3-clause BSD-style
137 6785 Add gss_krb5_import_cred
138 6786 kpasswd: if a credential cache is present, use FAST
140 6791 kadm5_hook: new plugin interface
141 6792 Implement k5login_directory and k5login_authoritative options
142 6793 acquire_init_cred leaks interned name
143 6795 Propagate modprinc -unlock from master to slave KDCs
144 6796 segfault due to uninitialized variable in S4U
145 6799 Performance issue in LDAP policy fetch
146 6801 Fix leaks in get_init_creds interface
147 6802 copyright notice updates
148 6804 Remove KDC replay cache
149 6805 securID code fixes
150 6806 securID error handling fix
151 6807 SecurID build support
152 6809 gss_krb5int_make_seal_token_v3_iov fails to set conf_state
153 6810 Better libk5crypto NSS fork safety
154 6811 Mark Camellia-CCM code as experimental
155 6812 krb5_get_credentials should not fail due to inability to store
156 a credential in a cache
157 6815 Failed kdb5_util load removes real database
158 6819 Handle referral realm in kprop client principal
159 6820 Read KDC profile settings in kpropd
160 6822 Implement Camellia-CTS-CMAC instead of Camellia-CCM
161 6823 getdate.y: declare yyparse
162 6824 Export krb5_tkt_creds_get
163 6825 Add missing KRB5_CALLCONV in callback declaration
164 6826 Fix Windows build
165 6827 SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others)
166 6828 Install kadm5_hook_plugin.h
167 6829 Implement restrict_anonymous_to_tgt realm flag
172 Past and present Sponsors of the MIT Kerberos Consortium:
175 Carnegie Mellon University
179 The Department of Defense of the United States of America (DoD)
181 Iowa State University
183 Michigan State University
185 The National Aeronautics and Space Administration
186 of the United States of America (NASA)
187 Network Appliance (NetApp)
188 Nippon Telephone and Telegraph (NTT)
190 Pennsylvania State University
194 The University of Alaska
195 The University of Michigan
196 The University of Pennsylvania
198 Past and present members of the Kerberos Team at MIT:
251 The following external contributors have provided code, patches, bug
252 reports, suggestions, and valuable resources:
271 Christopher D. Clausen
294 Love Hörnquist Åstrand
307 Jan iankko Lieskovsky
341 The above is not an exhaustive list; many others have contributed in
342 various ways to the MIT Kerberos development effort over the years.
343 Other acknowledgments (for bug reports and patches) are in the