1 Kerberos Version 5, Release 1.3
6 Unpacking the Source Distribution
7 ---------------------------------
9 The source distribution of Kerberos 5 comes in three gzipped tarfiles,
10 krb5-1.3.src.tar.gz, krb5-1.3.doc.tar.gz, and krb5-1.3.crypto.tar.gz.
11 The krb5-1.3.doc.tar.gz contains the doc/ directory and this README
12 file. The krb5-1.3.src.tar.gz contains the src/ directory and this
13 README file, except for the crypto library sources, which are in
14 krb5-1.3.crypto.tar.gz.
16 Instruction on how to extract the entire distribution follow. These
17 directions assume that you want to extract into a directory called
20 If you have the GNU tar program and gzip installed, you can simply do:
24 gtar zxpf krb5-1.3.src.tar.gz
25 gtar zxpf krb5-1.3.crypto.tar.gz
26 gtar zxpf krb5-1.3.doc.tar.gz
28 If you don't have GNU tar, you will need to get the FSF gzip
29 distribution and use gzcat:
33 gzcat krb5-1.3.src.tar.gz | tar xpf -
34 gzcat krb5-1.3.crypto.tar.gz | tar xpf -
35 gzcat krb5-1.3.doc.tar.gz | tar xpf -
37 Both of these methods will extract the sources into DIST/krb5-1.3/src
38 and the documentation into DIST/krb5-1.3/doc.
40 Building and Installing Kerberos 5
41 ----------------------------------
43 The first file you should look at is doc/install-guide.ps; it contains
44 the notes for building and installing Kerberos 5. The info file
45 krb5-install.info has the same information in info file format. You
46 can view this using the GNU emacs info-mode, or by using the
47 standalone info file viewer from the Free Software Foundation. This
48 is also available as an HTML file, install.html.
50 Other good files to look at are admin-guide.ps and user-guide.ps,
51 which contain the system administrator's guide, and the user's guide,
52 respectively. They are also available as info files
53 kerberos-admin.info and krb5-user.info, respectively. These files are
54 also available as HTML files.
56 If you are attempting to build under Windows, please see the
57 src/windows/README file.
62 Please report any problems/bugs/comments using the krb5-send-pr
63 program. The krb5-send-pr program will be installed in the sbin
64 directory once you have successfully compiled and installed Kerberos
65 V5 (or if you have installed one of our binary distributions).
67 If you are not able to use krb5-send-pr because you haven't been able
68 compile and install Kerberos V5 on any platform, you may send mail to
71 You may view bug reports by visiting
73 http://krbdev.mit.edu/rt/
75 and logging in as "guest" with password "guest".
77 Notes, Major Changes, and Known Bugs for 1.3
78 --------------------------------------------
80 * We now install the compile_et program, so other packages can use the
81 installed com_err library with their own error tables. (If you use
82 our com_err code, that is; see below.)
84 * The header files we install now assume ANSI/ISO C ('89, not '99).
85 We have stopped testing on SunOS 4, even with gcc. Some of our code
86 now has C89-based assumptions, like free(NULL) being well defined,
87 that will probably frustrate any attempts to run this code under SunOS
88 4 or other pre-C89 systems.
90 * Some new code, bug fixes, and cleanup for IPv6 support. [[TODO:
91 Insert list of (non-)supporting programs and libraries here.]]
93 * We have upgraded to autoconf 2.52 (or later), and the syntax for
94 specifying certain configuration options have changed. For example,
95 autoconf 2.52 configure scripts let you specify command-line options
96 like "configure CC=/some/path/foo-cc", so we have removed some of
97 our old options like --with-cc in favor of this approach.
99 * The client libraries can now use TCP to connect to the KDC. This
100 may be necessary when talking to Microsoft KDCs (domain controllers),
101 if they issue you tickets with lots of PAC data.
103 * If you have versions of the com_err, ss, or Berkeley DB packages
104 installed locally, you can use the --with-system-et,
105 --with-system-ss, and --with-system-db configure options to use them
106 rather than using the versions supplied here. Note that the
107 interfaces are assumed to be similar to those we supply; in
108 particular, some older, divergent versions of the com_err library
109 may not work with the krb5 sources. Many configure-time variables
110 can be used to help the compiler and linker find the installed
111 packages; see the build documentation for details.
113 Major changes listed by ticket ID
114 ---------------------------------
116 * [492] PRNG breakage on 64-bit platforms no longer an issue due to
117 new PRNG implementation.
119 * [523] Client library is now compatible with the RC4-based
120 cryptosystem used by Windows 2000.
122 * [709] krb4 long lifetime support has been implemented.
124 * [880] krb5_gss_register_acceptor_identity() implemented (is called
125 gsskrb5_register_acceptor_identity() by Heimdal).
127 * [1156, 1209] It is now possible to use the system com_err to build
130 * [1174] TCP support added to client library.
132 * [1175] TCP support added to the KDC, but is disabled by default.
134 * [1176] autoconf-2.5x is now required by the build system.
136 * [1184] It is now possible to use the system Berkeley/Sleepycat DB
137 library to build this release.
139 * [1189, 1251] The KfM krb4 library source base has been merged.
141 Minor changes listed by ticket ID
142 ---------------------------------
144 * [90] default_principal_flags documented.
146 * [175] Docs refer to appropriate example domains/IPs now.
148 * [433] --includedir honored now.
150 * [479] unused argument in try_krb4() in login.c deleted.
152 * [608] login.krb5 handles SIGHUP more sanely now and thus avoids
153 getting the session into a weird state w.r.t. job control.
155 * [620] krb4 encrypted rcp should work a little better now. Thanks to
158 * [673] Weird echoing of admin password in kadmin client worked around
159 by not using buffered stdio calls to read passwords.
161 * [677] The build system has been reworked to allow the user to set
162 CFLAGS, LDFLAGS, CPPFLAGS, etc. reasonably.
164 * [680] Related to [673], rewrite krb5_prompter_posix() to no longer
165 use longjmp(), thus avoiding some bugs relating to non-restoration
166 of terminal settings.
168 * [697] login.krb5 no longer zeroes out the terminal window size.
170 * [710] decomp_ticket() in libkrb4 now looks up the local realm name
171 more correctly. Thanks to Booker Bense.
173 * [771] .rconf files are excluded from the release now.
175 * [850] Berekely DB build is better integrated into the krb5 library
178 * [866] lib/krb5/os/localaddr.c and kdc/network.c use a common source
179 for local address enumeration now.
181 * [919] kdc/network.c problems relating to SIOCGIFCONF have been
184 * [922] An overflow in the string-to-time conversion routines has been
187 * [935] des-cbc-md4 now included in default enctypes.
189 * [953] des3 no longer failing on Windows due to SHA1 implementation
192 * [971] option parsing bugs rendered irrelevant by removal of unused
195 * [986] Related to [677], problems with the ordering of LDFLAGS
196 initialization rendered irrelevant by use of native autoconf
199 * [992] Related to [677], quirks with --with-cc no longer relevant as
200 AC_PROG_CC is used instead now.
202 * [999] kdc_default_options now honored in gss context initialization.
204 * [1006] Client library, as well as KDC, now perform reasonable
205 sorting of ETYPE-INFO preauthentication data.
207 * [1055] NULL pointer dereferences in code calling
208 krb5_change_password() have been fixed.
210 * [1063] Initial credentials acquisition failures related to client
211 host having a large number of local network interfaces should be
214 * [1065, 1225] krb5_get_init_creds_password() should properly warn about
217 * [1066] printf() argument mismatches in rpc unit tests fixed.
219 * [1087] ftpd no longer requires channel bindings, allowing easier use
220 of ftp from behind a NAT.
222 * [1102] gssapi_generic.h should now work with C++.
224 * [1164] krb5_auth_con_gen_addrs() now properly returns errno instead
225 of -1 if getpeername() fails.
227 * [1178, 1228, 1244, 1246, 1249] Test suite has been stabilized
230 * [1188] As part of the modernization of our usage of autoconf,
231 AC_CONFIG_FILES is now used instead of passing a list of files to
234 * [1194] configure will no longer recurse out of the top of the source
235 tree when attempting to locate the top of the source tree.
237 * [1195] Example krb5.conf file modified to include all enctypes
238 supported by the release.
240 * [1211] The ASN.1 code no longer passes (harmless) uninitialized
243 * [1212] libkadm5 now allows for persistent exclusive database locks.
245 * [1217] krb5_read_password() and des_read_password() are now
246 implemented via krb5_prompter_posix().
248 * [1224] For SAM challenges, omitted optional strings are no longer
249 encoded as zero-length strings.
251 * [1226] Client-side support for SAM hardware-based preauth
254 * [1232] If the master KDC cannot be resolved, but a slave is
255 reachable, the client library now returns the real error from the
256 slave rather than the resolution failure from the master. Thanks to
259 * [1234] Assigned numbers for SAM preauth have been corrected.
260 sam-pk-for-sad implementation has been aligned.
262 * [1237] Profile-sharing optimizations from KfM have been merged.
264 * [1240] Windows calling conventions for krb5int_c_combine_keys() have
267 * [1256] Incorrect sizes passed to memset() in combine_keys()
268 operations have been corrected.
270 * [1260] Client credential lookup now gets new service tickets in
271 preference to attempting to use expired ticketes. Thanks to Ben
274 * [1284] kshd accepts connections by IPv6 now.
276 * [1292] kvno manpage title fixed.
278 * [1293] Source files no longer explicitly attempt to declare errno.
280 * [1304] kadmind4 no longer leaves sa_flags uninitialized.
282 * [1309] krb5_send_tgs() no longer leaks the storage associated with
285 * [1310] kadm5_get_either() no longer leaks regexp library memory.
287 * [1311] Output from krb5-config no longer contains spurious uses of
290 * [1346] gss_krb5_ccache_name() no longer attempts to return a pointer
293 * [1356] krb5_gss_accept_sec_context() no longer attempts to validate
294 a null credential if one is passed in.
296 * [1357] krb__get_srvtab_name() no longer leaks memory.
298 * [1373] Handling of SAM preauth no longer attempts to stuff a size_t
299 into an unsigned int.
301 [ DELETE BEFORE RELEASE ---changes to unreleased code, etc.--- ]
303 * [1054] KRB-CRED messages for RC4 are encrypted now.
305 * [1177] krb5-1-2-2-branch merged onto trunk.
307 * [1193] Punted comment about reworking key storage architecture.
309 * [1208] install-headers target implemented.
311 * [1223] asn1_decode_oid, asn1_encode_oid implemented
313 * [1276] Generated dependencies handle --without-krb4 properly now.
315 Copyright Notice and Legal Administrivia
316 ----------------------------------------
318 Copyright (C) 1985-2003 by the Massachusetts Institute of Technology.
322 Export of this software from the United States of America may require
323 a specific license from the United States Government. It is the
324 responsibility of any person or organization contemplating export to
325 obtain such a license before exporting.
327 WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
328 distribute this software and its documentation for any purpose and
329 without fee is hereby granted, provided that the above copyright
330 notice appear in all copies and that both that copyright notice and
331 this permission notice appear in supporting documentation, and that
332 the name of M.I.T. not be used in advertising or publicity pertaining
333 to distribution of the software without specific, written prior
334 permission. Furthermore if you modify this software you must label
335 your software as modified software and not distribute it in such a
336 fashion that it might be confused with the original MIT software.
337 M.I.T. makes no representations about the suitability of this software
338 for any purpose. It is provided "as is" without express or implied
341 THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
342 IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
343 WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
345 Individual source code files are copyright MIT, Cygnus Support,
346 OpenVision, Oracle, Sun Soft, FundsXpress, and others.
348 Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira,
349 and Zephyr are trademarks of the Massachusetts Institute of Technology
350 (MIT). No commercial use of these trademarks may be made without
351 prior written permission of MIT.
353 "Commercial use" means use of a name in a product or other for-profit
354 manner. It does NOT prevent a commercial firm from referring to the
355 MIT trademarks in order to convey information (although in doing so,
356 recognition of their trademark status should be given).
360 The following copyright and permission notice applies to the
361 OpenVision Kerberos Administration system located in kadmin/create,
362 kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions
365 Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved
367 WARNING: Retrieving the OpenVision Kerberos Administration system
368 source code, as described below, indicates your acceptance of the
369 following terms. If you do not agree to the following terms, do not
370 retrieve the OpenVision Kerberos administration system.
372 You may freely use and distribute the Source Code and Object Code
373 compiled from it, with or without modification, but this Source
374 Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY,
375 INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR
376 FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER
377 EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY
378 FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF
379 SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR
380 CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING,
381 WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE
382 CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY
385 OpenVision retains all copyrights in the donated Source Code. OpenVision
386 also retains copyright to derivative works of the Source Code, whether
387 created by OpenVision or by a third party. The OpenVision copyright
388 notice must be preserved if derivative works are made based on the
391 OpenVision Technologies, Inc. has donated this Kerberos
392 Administration system to MIT for inclusion in the standard
393 Kerberos 5 distribution. This donation underscores our
394 commitment to continuing Kerberos technology development
395 and our gratitude for the valuable work which has been
396 performed by MIT and the Kerberos community.
400 Portions contributed by Matt Crawford <crawdad@fnal.gov> were
401 work performed at Fermi National Accelerator Laboratory, which is
402 operated by Universities Research Association, Inc., under
403 contract DE-AC02-76CHO3000 with the U.S. Department of Energy.
405 ---- The implementation of the Yarrow pseudo-random number generator
406 in src/lib/crypto/yarrow has the following copyright:
408 Copyright 2000 by Zero-Knowledge Systems, Inc.
410 Permission to use, copy, modify, distribute, and sell this software
411 and its documentation for any purpose is hereby granted without fee,
412 provided that the above copyright notice appear in all copies and that
413 both that copyright notice and this permission notice appear in
414 supporting documentation, and that the name of Zero-Knowledge Systems,
415 Inc. not be used in advertising or publicity pertaining to
416 distribution of the software without specific, written prior
417 permission. Zero-Knowledge Systems, Inc. makes no representations
418 about the suitability of this software for any purpose. It is
419 provided "as is" without express or implied warranty.
421 ZERO-KNOWLEDGE SYSTEMS, INC. DISCLAIMS ALL WARRANTIES WITH REGARD TO
422 THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
423 FITNESS, IN NO EVENT SHALL ZERO-KNOWLEDGE SYSTEMS, INC. BE LIABLE FOR
424 ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
425 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
426 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT
427 OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
429 ---- The implementation of the AES encryption algorithm in
430 src/lib/crypto/aes has the following copyright:
432 Copyright (c) 2001, Dr Brian Gladman <brg@gladman.uk.net>, Worcester, UK.
437 The free distribution and use of this software in both source and binary
438 form is allowed (with or without changes) provided that:
440 1. distributions of this source code include the above copyright
441 notice, this list of conditions and the following disclaimer;
443 2. distributions in binary form include the above copyright
444 notice, this list of conditions and the following disclaimer
445 in the documentation and/or other associated materials;
447 3. the copyright holder's name is not used to endorse products
448 built using this software without specific written permission.
452 This software is provided 'as is' with no explcit or implied warranties
453 in respect of any properties, including, but not limited to, correctness
454 and fitness for purpose.
461 Appreciation Time!!!! There are far too many people to try to thank
462 them all; many people have contributed to the development of Kerberos
463 V5. This is only a partial listing....
465 Thanks to Paul Vixie and the Internet Software Consortium for funding
466 the work of Barry Jaspan. This funding was invaluable for the OV
467 administration server integration, as well as the 1.0 release
470 Thanks to John Linn, Scott Foote, and all of the folks at OpenVision
471 Technologies, Inc., who donated their administration server for use in
472 the MIT release of Kerberos.
474 Thanks to Jeff Bigler, Mark Eichin, Marc Horowitz, Nancy Gilman, Ken
475 Raeburn, and all of the folks at Cygnus Support, who provided
476 innumerable bug fixes and portability enhancements to the Kerberos V5
477 tree. Thanks especially to Jeff Bigler, for the new user and system
478 administrator's documentation.
480 Thanks to Doug Engert from ANL for providing many bug fixes, as well
481 as testing to ensure DCE interoperability.
483 Thanks to Ken Hornstein at NRL for providing many bug fixes and
484 suggestions, and for working on SAM preauthentication.
486 Thanks to Matt Crawford at FNAL for bugfixes and enhancements.
488 Thanks to Sean Mullan and Bill Sommerfeld from Hewlett Packard for
489 their many suggestions and bug fixes.
491 Thanks to Nalin Dahyabhai of RedHat and Chris Evans for locating and
492 providing patches for numerous buffer overruns.
494 Thanks to Christopher Thompson and Marcus Watts for discovering the
497 Thanks to the members of the Kerberos V5 development team at MIT, both
498 past and present: Danilo Almeida, Jay Berkenbilt, Richard Basch, Mitch
499 Berger, John Carr, Don Davis, Alexandra Ellwood, Nancy Gilman, Matt
500 Hancher, Sam Hartman, Paul Hill, Marc Horowitz, Eva Jacobus, Miroslav
501 Jurisic, Barry Jaspan, Geoffrey King, John Kohl, Peter Litwack, Scott
502 McGuire, Kevin Mitchell, Cliff Neuman, Paul Park, Ezra Peisach, Chris
503 Provenzano, Ken Raeburn, Jon Rochlis, Jeff Schiller, Jen Selby, Brad
504 Thompson, Harry Tsai, Ted Ts'o, Marshall Vale, Tom Yu.