- Kerberos Version 5, Release 1.5
+ Kerberos Version 5, Release 1.8
- Release Notes
- The MIT Kerberos Team
+ Release Notes
+ The MIT Kerberos Team
Unpacking the Source Distribution
---------------------------------
The source distribution of Kerberos 5 comes in a gzipped tarfile,
-krb5-1.5.tar.gz. Instructions on how to extract the entire
+krb5-1.8.tar.gz. Instructions on how to extract the entire
distribution follow.
If you have the GNU tar program and gzip installed, you can simply do:
- gtar zxpf krb5-1.5.tar.gz
+ gtar zxpf krb5-1.8.tar.gz
If you don't have GNU tar, you will need to get the FSF gzip
distribution and use gzcat:
- gzcat krb5-1.5.tar.gz | tar xpf -
+ gzcat krb5-1.8.tar.gz | tar xpf -
-Both of these methods will extract the sources into krb5-1.5/src and
-the documentation into krb5-1.5/doc.
+Both of these methods will extract the sources into krb5-1.8/src and
+the documentation into krb5-1.8/doc.
Building and Installing Kerberos 5
----------------------------------
and logging in as "guest" with password "guest".
-Major changes in 1.5
-----------------------
+DES transition
+--------------
+
+The Data Encryption Standard (DES) is widely recognized as weak. The
+krb5-1.7 release contains measures to encourage sites to migrate away
+from using single-DES cryptosystems. Among these is a configuration
+variable that enables "weak" enctypes, which defaults to "false"
+beginning with krb5-1.8.
+
+Major changes in 1.8
+--------------------
+
+The krb5-1.8 release contains a large number of changes, featuring
+improvements in the following broad areas:
+
+* Code quality
+* Modularity
+* Performance
+* End-user experience
+* Administrator experience
+* Protocol evolution
+
+Code quality:
+
+* Move toward test-driven development -- new features have test code,
+ or at least written testing procedures.
+
+* Increase conformance to coding style
+
+ + "The great reindent"
+
+ + Selective refactoring
+
+Modularity:
+
+* Crypto modularity -- vendors can more easily substitute their own
+ crypto implementations, which might be hardware-accelerated or
+ validated to FIPS 140, for the builtin crypto implementation that
+ has historically shipped as part of MIT Kerberos. Currently, only
+ an OpenSSL provider is included, but others are possible.
+
+* Move toward improved KDB interface
+
+* Improved API for verifying and interrogating authorization data
+
+Performance:
+
+* Investigate and remedy repeatedly-reported performance bottlenecks.
+
+* Encryption performance -- new crypto API with opaque key structures,
+ to allow for optimizations such as caching of derived keys
+
+End-user experience:
-Merged to the trunk and included in this alpha release:
+* Reduce DNS dependence by implementing an interface that allows
+ client library to track whether a KDC supports service principal
+ referrals.
-* plug-in architecture (in-progress)
+Administrator experience:
-Not yet merged to the trunk, thus not included in this alpha release:
+* Disable DES by default -- this reduces security exposure from using
+ an increasingly insecure cipher.
-* LDAP plug-in for KDB
+* More versatile crypto configuration, to simplify migration away from
+ DES -- new configuration syntax to allow inclusion and exclusion of
+ specific algorithms relative to a default set.
-* multi-mechanism GSS-API implementation
+* Account lockout for repeated login failures -- mitigates online
+ password guessing attacks, and helps with some enterprise regulatory
+ compliance.
-* SPNEGO implementation
+Protocol evolution:
-Minor changes in 1.5
-----------------------
+* FAST enhancements -- preauthentication framework enhancements
-For a list of bugs fixed in krb5-1.5, please consult
+* Microsoft Services for User (S4U) compatibility: S4U2Self, also
+ known as "protocol transition", allows for service to ask a KDC for
+ a ticket to themselves on behalf of a client authenticated via a
+ different means; S4U2Proxy allows a service to ask a KDC for a
+ ticket to another service on behalf of a client.
-http://krbdev.mit.edu/rt/NoAuth/krb5-1.5/fixed-1.5.html
+* Anonymous PKINIT -- allows the use of public-key cryptography to
+ anonymously authenticate to a realm
-Copyright Notice and Legal Administrivia
-----------------------------------------
+krb5-1.8 changes by ticket ID
+-----------------------------
-Copyright (C) 1985-2006 by the Massachusetts Institute of Technology.
+5468 delete kadmin v1 support
+6206 new API for storing extra per-principal data in ccache
+6434 krb5_cc_resolve() will crash if a null name param is provided
+6454 Make krb5_mkt_resolve error handling work
+6510 Restore limited support for static linking
+6539 Enctype list configuration enhancements
+6547 Modify kadm5 initializers to accept krb5 contexts
+6563 Implement s4u extensions
+6564 s4u extensions integration broke test suite...
+6565 HP-UX IA64 wrong endian
+6572 Implement GSS naming extensions and authdata verification
+6576 Implement new APIs to allow improved crypto performance
+6577 Account lockout for repeated login failures
+6578 Heimdal DB bridge plugin for KDC back end
+6580 Constrained delegation without PAC support
+6582 Memory leak in _kadm5_init_any introduced with ipropd
+6583 Unbundle applications into separate repository
+6586 libkrb5 support for non-blocking AS requests
+6590 allow testing even if name->addr->name mapping doesn't work
+6591 fix slow behavior on Mac OS X with link-local addresses
+6593 Remove dependency on /bin/csh in test suite
+6595 FAST (preauth framework) negotiation
+6597 Add GSS extensions to store credentials, generate random bits
+6605 PKINIT client should validate SAN for TGS, not service principal
+6606 allow testing when offline
+6607 anonymous PKINIT
+6616 Fix spelling and hyphen errors in man pages
+6618 Support optional creation of PID files for krb5kdc and kadmind
+6620 kdc_supported_enctypes does nothing; eradicate mentions thereof
+6621 disable weak crypto by default
+
+Copyright and Other Legal Notices
+---------------------------------
+
+Copyright (C) 1985-2010 by the Massachusetts Institute of Technology.
All rights reserved.
for any purpose. It is provided "as is" without express or implied
warranty.
-THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Individual source code files are copyright MIT, Cygnus Support,
-OpenVision, Oracle, Sun Soft, FundsXpress, and others.
+Novell, OpenVision Technologies, Oracle, Red Hat, Sun Microsystems,
+FundsXpress, and others.
Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira,
and Zephyr are trademarks of the Massachusetts Institute of Technology
MIT trademarks in order to convey information (although in doing so,
recognition of their trademark status should be given).
-----
+ --------------------
+
+Portions of src/lib/crypto have the following copyright:
+
+ Copyright (C) 1998 by the FundsXpress, INC.
+
+ All rights reserved.
+
+ Export of this software from the United States of America may require
+ a specific license from the United States Government. It is the
+ responsibility of any person or organization contemplating export to
+ obtain such a license before exporting.
+
+ WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ distribute this software and its documentation for any purpose and
+ without fee is hereby granted, provided that the above copyright
+ notice appear in all copies and that both that copyright notice and
+ this permission notice appear in supporting documentation, and that
+ the name of FundsXpress. not be used in advertising or publicity pertaining
+ to distribution of the software without specific, written prior
+ permission. FundsXpress makes no representations about the suitability of
+ this software for any purpose. It is provided "as is" without express
+ or implied warranty.
+
+ THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
+ IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+
+
+ --------------------
The following copyright and permission notice applies to the
OpenVision Kerberos Administration system located in kadmin/create,
kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions
of lib/rpc:
- Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved
-
- WARNING: Retrieving the OpenVision Kerberos Administration system
- source code, as described below, indicates your acceptance of the
- following terms. If you do not agree to the following terms, do not
- retrieve the OpenVision Kerberos administration system.
-
- You may freely use and distribute the Source Code and Object Code
- compiled from it, with or without modification, but this Source
- Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY,
- INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR
- FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER
- EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY
- FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR
- CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING,
- WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE
- CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY
- OTHER REASON.
-
- OpenVision retains all copyrights in the donated Source Code. OpenVision
- also retains copyright to derivative works of the Source Code, whether
- created by OpenVision or by a third party. The OpenVision copyright
- notice must be preserved if derivative works are made based on the
- donated Source Code.
-
- OpenVision Technologies, Inc. has donated this Kerberos
- Administration system to MIT for inclusion in the standard
- Kerberos 5 distribution. This donation underscores our
- commitment to continuing Kerberos technology development
- and our gratitude for the valuable work which has been
- performed by MIT and the Kerberos community.
-
-----
-
- Portions contributed by Matt Crawford <crawdad@fnal.gov> were
- work performed at Fermi National Accelerator Laboratory, which is
- operated by Universities Research Association, Inc., under
- contract DE-AC02-76CHO3000 with the U.S. Department of Energy.
-
----- The implementation of the Yarrow pseudo-random number generator
-in src/lib/crypto/yarrow has the following copyright:
-
-Copyright 2000 by Zero-Knowledge Systems, Inc.
-
-Permission to use, copy, modify, distribute, and sell this software
-and its documentation for any purpose is hereby granted without fee,
-provided that the above copyright notice appear in all copies and that
-both that copyright notice and this permission notice appear in
-supporting documentation, and that the name of Zero-Knowledge Systems,
-Inc. not be used in advertising or publicity pertaining to
-distribution of the software without specific, written prior
-permission. Zero-Knowledge Systems, Inc. makes no representations
-about the suitability of this software for any purpose. It is
-provided "as is" without express or implied warranty.
-
-ZERO-KNOWLEDGE SYSTEMS, INC. DISCLAIMS ALL WARRANTIES WITH REGARD TO
-THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
-FITNESS, IN NO EVENT SHALL ZERO-KNOWLEDGE SYSTEMS, INC. BE LIABLE FOR
-ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT
-OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
----- The implementation of the AES encryption algorithm in
+ Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved
+
+ WARNING: Retrieving the OpenVision Kerberos Administration system
+ source code, as described below, indicates your acceptance of the
+ following terms. If you do not agree to the following terms, do not
+ retrieve the OpenVision Kerberos administration system.
+
+ You may freely use and distribute the Source Code and Object Code
+ compiled from it, with or without modification, but this Source
+ Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY,
+ INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR
+ FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER
+ EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY
+ FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR
+ CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING,
+ WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE
+ CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY
+ OTHER REASON.
+
+ OpenVision retains all copyrights in the donated Source Code. OpenVision
+ also retains copyright to derivative works of the Source Code, whether
+ created by OpenVision or by a third party. The OpenVision copyright
+ notice must be preserved if derivative works are made based on the
+ donated Source Code.
+
+ OpenVision Technologies, Inc. has donated this Kerberos
+ Administration system to MIT for inclusion in the standard
+ Kerberos 5 distribution. This donation underscores our
+ commitment to continuing Kerberos technology development
+ and our gratitude for the valuable work which has been
+ performed by MIT and the Kerberos community.
+
+ --------------------
+
+ Portions contributed by Matt Crawford <crawdad@fnal.gov> were
+ work performed at Fermi National Accelerator Laboratory, which is
+ operated by Universities Research Association, Inc., under
+ contract DE-AC02-76CHO3000 with the U.S. Department of Energy.
+
+ --------------------
+
+The implementation of the Yarrow pseudo-random number generator in
+src/lib/crypto/yarrow has the following copyright:
+
+ Copyright 2000 by Zero-Knowledge Systems, Inc.
+
+ Permission to use, copy, modify, distribute, and sell this software
+ and its documentation for any purpose is hereby granted without fee,
+ provided that the above copyright notice appear in all copies and that
+ both that copyright notice and this permission notice appear in
+ supporting documentation, and that the name of Zero-Knowledge Systems,
+ Inc. not be used in advertising or publicity pertaining to
+ distribution of the software without specific, written prior
+ permission. Zero-Knowledge Systems, Inc. makes no representations
+ about the suitability of this software for any purpose. It is
+ provided "as is" without express or implied warranty.
+
+ ZERO-KNOWLEDGE SYSTEMS, INC. DISCLAIMS ALL WARRANTIES WITH REGARD TO
+ THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+ FITNESS, IN NO EVENT SHALL ZERO-KNOWLEDGE SYSTEMS, INC. BE LIABLE FOR
+ ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT
+ OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+ --------------------
+
+The implementation of the AES encryption algorithm in
src/lib/crypto/aes has the following copyright:
- Copyright (c) 2001, Dr Brian Gladman <brg@gladman.uk.net>, Worcester, UK.
- All rights reserved.
-
- LICENSE TERMS
-
- The free distribution and use of this software in both source and binary
- form is allowed (with or without changes) provided that:
-
- 1. distributions of this source code include the above copyright
- notice, this list of conditions and the following disclaimer;
-
- 2. distributions in binary form include the above copyright
- notice, this list of conditions and the following disclaimer
- in the documentation and/or other associated materials;
-
- 3. the copyright holder's name is not used to endorse products
- built using this software without specific written permission.
-
- DISCLAIMER
-
- This software is provided 'as is' with no explcit or implied warranties
- in respect of any properties, including, but not limited to, correctness
- and fitness for purpose.
-
---- The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in
- src/lib/gssapi, including the following files:
-
-lib/gssapi/generic/gssapi_err_generic.et
-lib/gssapi/mechglue/g_accept_sec_context.c
-lib/gssapi/mechglue/g_acquire_cred.c
-lib/gssapi/mechglue/g_canon_name.c
-lib/gssapi/mechglue/g_compare_name.c
-lib/gssapi/mechglue/g_context_time.c
-lib/gssapi/mechglue/g_delete_sec_context.c
-lib/gssapi/mechglue/g_dsp_name.c
-lib/gssapi/mechglue/g_dsp_status.c
-lib/gssapi/mechglue/g_dup_name.c
-lib/gssapi/mechglue/g_exp_sec_context.c
-lib/gssapi/mechglue/g_export_name.c
-lib/gssapi/mechglue/g_glue.c
-lib/gssapi/mechglue/g_imp_name.c
-lib/gssapi/mechglue/g_imp_sec_context.c
-lib/gssapi/mechglue/g_init_sec_context.c
-lib/gssapi/mechglue/g_initialize.c
-lib/gssapi/mechglue/g_inquire_context.c
-lib/gssapi/mechglue/g_inquire_cred.c
-lib/gssapi/mechglue/g_inquire_names.c
-lib/gssapi/mechglue/g_process_context.c
-lib/gssapi/mechglue/g_rel_buffer.c
-lib/gssapi/mechglue/g_rel_cred.c
-lib/gssapi/mechglue/g_rel_name.c
-lib/gssapi/mechglue/g_rel_oid_set.c
-lib/gssapi/mechglue/g_seal.c
-lib/gssapi/mechglue/g_sign.c
-lib/gssapi/mechglue/g_store_cred.c
-lib/gssapi/mechglue/g_unseal.c
-lib/gssapi/mechglue/g_userok.c
-lib/gssapi/mechglue/g_utils.c
-lib/gssapi/mechglue/g_verify.c
-lib/gssapi/mechglue/gssd_pname_to_uid.c
-lib/gssapi/mechglue/mglueP.h
-lib/gssapi/mechglue/oid_ops.c
-lib/gssapi/spnego/gssapiP_spnego.h
-lib/gssapi/spnego/spnego_mech.c
+ Copyright (c) 2001, Dr Brian Gladman <brg@gladman.uk.net>, Worcester, UK.
+ All rights reserved.
+
+ LICENSE TERMS
+
+ The free distribution and use of this software in both source and binary
+ form is allowed (with or without changes) provided that:
+
+ 1. distributions of this source code include the above copyright
+ notice, this list of conditions and the following disclaimer;
+
+ 2. distributions in binary form include the above copyright
+ notice, this list of conditions and the following disclaimer
+ in the documentation and/or other associated materials;
+
+ 3. the copyright holder's name is not used to endorse products
+ built using this software without specific written permission.
+
+ DISCLAIMER
+
+ This software is provided 'as is' with no explcit or implied warranties
+ in respect of any properties, including, but not limited to, correctness
+ and fitness for purpose.
+
+ --------------------
+
+Portions contributed by Red Hat, including the pre-authentication
+plug-ins framework, contain the following copyright:
+
+ Copyright (c) 2006 Red Hat, Inc.
+ Portions copyright (c) 2006 Massachusetts Institute of Technology
+ All Rights Reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+
+ * Redistributions in binary form must reproduce the above
+ copyright notice, this list of conditions and the following
+ disclaimer in the documentation and/or other materials provided
+ with the distribution.
+
+ * Neither the name of Red Hat, Inc., nor the names of its
+ contributors may be used to endorse or promote products derived
+ from this software without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+ --------------------
+
+The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in
+src/lib/gssapi, including the following files:
+
+ lib/gssapi/generic/gssapi_err_generic.et
+ lib/gssapi/mechglue/g_accept_sec_context.c
+ lib/gssapi/mechglue/g_acquire_cred.c
+ lib/gssapi/mechglue/g_canon_name.c
+ lib/gssapi/mechglue/g_compare_name.c
+ lib/gssapi/mechglue/g_context_time.c
+ lib/gssapi/mechglue/g_delete_sec_context.c
+ lib/gssapi/mechglue/g_dsp_name.c
+ lib/gssapi/mechglue/g_dsp_status.c
+ lib/gssapi/mechglue/g_dup_name.c
+ lib/gssapi/mechglue/g_exp_sec_context.c
+ lib/gssapi/mechglue/g_export_name.c
+ lib/gssapi/mechglue/g_glue.c
+ lib/gssapi/mechglue/g_imp_name.c
+ lib/gssapi/mechglue/g_imp_sec_context.c
+ lib/gssapi/mechglue/g_init_sec_context.c
+ lib/gssapi/mechglue/g_initialize.c
+ lib/gssapi/mechglue/g_inquire_context.c
+ lib/gssapi/mechglue/g_inquire_cred.c
+ lib/gssapi/mechglue/g_inquire_names.c
+ lib/gssapi/mechglue/g_process_context.c
+ lib/gssapi/mechglue/g_rel_buffer.c
+ lib/gssapi/mechglue/g_rel_cred.c
+ lib/gssapi/mechglue/g_rel_name.c
+ lib/gssapi/mechglue/g_rel_oid_set.c
+ lib/gssapi/mechglue/g_seal.c
+ lib/gssapi/mechglue/g_sign.c
+ lib/gssapi/mechglue/g_store_cred.c
+ lib/gssapi/mechglue/g_unseal.c
+ lib/gssapi/mechglue/g_userok.c
+ lib/gssapi/mechglue/g_utils.c
+ lib/gssapi/mechglue/g_verify.c
+ lib/gssapi/mechglue/gssd_pname_to_uid.c
+ lib/gssapi/mechglue/mglueP.h
+ lib/gssapi/mechglue/oid_ops.c
+ lib/gssapi/spnego/gssapiP_spnego.h
+ lib/gssapi/spnego/spnego_mech.c
+
+and the initial implementation of incremental propagation, including
+the following new or changed files:
+
+ include/iprop_hdr.h
+ kadmin/server/ipropd_svc.c
+ lib/kdb/iprop.x
+ lib/kdb/kdb_convert.c
+ lib/kdb/kdb_log.c
+ lib/kdb/kdb_log.h
+ lib/krb5/error_tables/kdb5_err.et
+ slave/kpropd_rpc.c
+ slave/kproplog.c
+
+and marked portions of the following files:
+
+ lib/krb5/os/hst_realm.c
are subject to the following license:
-Copyright (c) 2004 Sun Microsystems, Inc.
+ Copyright (c) 2004 Sun Microsystems, Inc.
+
+ Permission is hereby granted, free of charge, to any person obtaining a
+ copy of this software and associated documentation files (the
+ "Software"), to deal in the Software without restriction, including
+ without limitation the rights to use, copy, modify, merge, publish,
+ distribute, sublicense, and/or sell copies of the Software, and to
+ permit persons to whom the Software is furnished to do so, subject to
+ the following conditions:
+
+ The above copyright notice and this permission notice shall be included
+ in all copies or substantial portions of the Software.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+ CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+ TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+ --------------------
+
+MIT Kerberos includes documentation and software developed at the
+University of California at Berkeley, which includes this copyright
+notice:
+
+ Copyright (C) 1983 Regents of the University of California.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above
+ copyright notice, this list of conditions and the following
+ disclaimer in the documentation and/or other materials provided
+ with the distribution.
+
+ 3. Neither the name of the University nor the names of its
+ contributors may be used to endorse or promote products derived
+ from this software without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGE.
+
+ --------------------
+
+Portions contributed by Novell, Inc., including the LDAP database
+backend, are subject to the following license:
+
+ Copyright (c) 2004-2005, Novell, Inc.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ * Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ * The copyright holder's name is not used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+
+ --------------------
+
+Portions funded by Sandia National Laboratory and developed by the
+University of Michigan's Center for Information Technology
+Integration, including the PKINIT implementation, are subject to the
+following license:
+
+ COPYRIGHT (C) 2006-2007
+ THE REGENTS OF THE UNIVERSITY OF MICHIGAN
+ ALL RIGHTS RESERVED
+
+ Permission is granted to use, copy, create derivative works
+ and redistribute this software and such derivative works
+ for any purpose, so long as the name of The University of
+ Michigan is not used in any advertising or publicity
+ pertaining to the use of distribution of this software
+ without specific, written prior authorization. If the
+ above copyright notice or any other identification of the
+ University of Michigan is included in any copy of any
+ portion of this software, then the disclaimer below must
+ also be included.
+
+ THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
+ FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
+ PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
+ MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+ WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
+ MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
+ REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
+ FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
+ CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
+ OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
+ IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGES.
+
+ --------------------
+
+The pkcs11.h file included in the PKINIT code has the following
+license:
+
+ Copyright 2006 g10 Code GmbH
+ Copyright 2006 Andreas Jellinghaus
+
+ This file is free software; as a special exception the author gives
+ unlimited permission to copy and/or distribute it, with or without
+ modifications, as long as this notice is preserved.
+
+ This file is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY, to the extent permitted by law; without even
+ the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ PURPOSE.
+
+ --------------------
+
+Portions contributed by Apple Inc. are subject to the following license:
+
+Copyright 2004-2008 Apple Inc. All Rights Reserved.
+
+Export of this software from the United States of America may require
+a specific license from the United States Government. It is the
+responsibility of any person or organization contemplating export to
+obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of Apple Inc. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission. Apple Inc. makes no representations about the suitability of
+this software for any purpose. It is provided "as is" without express
+or implied warranty.
+
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+
+ --------------------
+
+The implementations of strlcpy and strlcat in
+src/util/support/strlcat.c have the following copyright and permission
+notice:
+
+Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com>
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+ --------------------
+
+The implementations of UTF-8 string handling in src/util/support and
+src/lib/krb5/unicode are subject to the following copyright and
+permission notice:
+
+The OpenLDAP Public License
+ Version 2.8, 17 August 2003
+
+Redistribution and use of this software and associated documentation
+("Software"), with or without modification, are permitted provided
+that the following conditions are met:
+
+1. Redistributions in source form must retain copyright statements
+ and notices,
+
+2. Redistributions in binary form must reproduce applicable copyright
+ statements and notices, this list of conditions, and the following
+ disclaimer in the documentation and/or other materials provided
+ with the distribution, and
+
+3. Redistributions must contain a verbatim copy of this document.
+
+The OpenLDAP Foundation may revise this license from time to time.
+Each revision is distinguished by a version number. You may use
+this Software under terms of this license revision or under the
+terms of any subsequent revision of the license.
+
+THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS
+CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
+SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S)
+OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+The names of the authors and copyright holders must not be used in
+advertising or otherwise to promote the sale, use or other dealing
+in this Software without specific, written prior permission. Title
+to copyright in this Software shall at all times remain with copyright
+holders.
+
+OpenLDAP is a registered trademark of the OpenLDAP Foundation.
+
+Copyright 1999-2003 The OpenLDAP Foundation, Redwood City,
+California, USA. All Rights Reserved. Permission to copy and
+distribute verbatim copies of this document is granted.
+
+ --------------------
+
+Marked test programs in src/lib/krb5/krb have the following copyright:
+
+Copyright (c) 2006 Kungliga Tekniska Högskolan
+(Royal Institute of Technology, Stockholm, Sweden).
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
-Permission is hereby granted, free of charge, to any person obtaining a
-copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
+1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
-The above copyright notice and this permission notice shall be included
-in all copies or substantial portions of the Software.
+2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
-OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
-IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
-CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
-TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
-SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+3. Neither the name of KTH nor the names of its contributors may be
+ used to endorse or promote products derived from this software without
+ specific prior written permission.
-Acknowledgements
-----------------
+THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-Thanks to Sun Microsystems for donating their implementations of
-mechglue and SPNEGO.
+Acknowledgements for krb5-1.8
+-----------------------------
Thanks to the members of the Kerberos V5 development team at MIT, both
-past and present: Danilo Almeida, Jeffrey Altman, Richard Basch, Jay
-Berkenbilt, Mitch Berger, Andrew Boardman, Joe Calzaretta, John Carr,
-Don Davis, Alexandra Ellwood, Nancy Gilman, Matt Hancher, Sam Hartman,
-Paul Hill, Marc Horowitz, Eva Jacobus, Miroslav Jurisic, Barry Jaspan,
-Geoffrey King, John Kohl, Peter Litwack, Scott McGuire, Kevin
-Mitchell, Cliff Neuman, Paul Park, Ezra Peisach, Chris Provenzano, Ken
-Raeburn, Jon Rochlis, Jeff Schiller, Jen Selby, Brad Thompson, Harry
-Tsai, Ted Ts'o, Marshall Vale, Tom Yu.
+past and present: Danilo Almeida, Jeffrey Altman, Justin Anderson,
+Richard Basch, Jay Berkenbilt, Mitch Berger, Andrew Boardman, Joe
+Calzaretta, John Carr, Don Davis, Alexandra Ellwood, Nancy Gilman,
+Matt Hancher, Sam Hartman, Paul Hill, Marc Horowitz, Eva Jacobus,
+Miroslav Jurisic, Barry Jaspan, Geoffrey King, Kevin Koch, John Kohl,
+Peter Litwack, Scott McGuire, Kevin Mitchell, Cliff Neuman, Paul Park,
+Ezra Peisach, Chris Provenzano, Ken Raeburn, Jon Rochlis, Jeff
+Schiller, Jen Selby, Robert Silk, Brad Thompson, Harry Tsai, Zhanna
+Tsitkova, Ted Ts'o, Marshall Vale, Tom Yu.