-Beta test distribution READ-ME file.
------------------------------------
+ Kerberos Version 5, Release 1.9
-THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
-IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
-WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ Release Notes
+ The MIT Kerberos Team
-Now, with that out of the way, let me point you to a few things:
+Copyright and Other Notices
+---------------------------
-The file doc/TREE-GRAPH is a graphical representation of the source
-directory tree you should receive with this distribution.
+Copyright (C) 1985-2010 by the Massachusetts Institute of Technology
+and its contributors. All rights reserved.
-The file doc/SOURCE-TREE describes what's in each directory.
+Please see the file named NOTICE for additional notices.
-The file doc/HOW_TO_BUILD gives instructions on how to start build
-Kerberos.
+Building and Installing Kerberos 5
+----------------------------------
-We used the ISODE release 8.0 ASN.1 compiler for the code we have run
-and tested here at MIT. If you are using ISODE 6.8, you will need to
-apply the patches found in the file tools/pepsy-diffs to fix some bugs
-in the PEPSY compiler which have caused us problems. I believe that
-ISODE 8.0 should work without any problems. However, I have not had a
-chance to try it out.
+The first file you should look at is doc/install-guide.ps; it contains
+the notes for building and installing Kerberos 5. The info file
+krb5-install.info has the same information in info file format. You
+can view this using the GNU emacs info-mode, or by using the
+standalone info file viewer from the Free Software Foundation. This
+is also available as an HTML file, install.html.
->> <<
->> Please report any problems/bugs/comments to 'krb5-bugs@athena.mit.edu' <<
->> <<
+Other good files to look at are admin-guide.ps and user-guide.ps,
+which contain the system administrator's guide, and the user's guide,
+respectively. They are also available as info files
+kerberos-admin.info and krb5-user.info, respectively. These files are
+also available as HTML files.
-Appreciation Time!!!! There are far too many people to try to thank
-them all; many people have contributed to the development of Kerberos
-V5. This is only a partial listing....
+If you are attempting to build under Windows, please see the
+src/windows/README file.
-Thanks to Mark Eichin at Cygnus for writing the new autoconf
-configuration system, for making the code much more portable, and for
-serving as pre-release testers.
+Reporting Bugs
+--------------
-Thanks to Marc Horowitz, Barry Jaspan, and Jonathan Kamens (and
-others) at Openvision, Inc. for providing us with an GSS-API library,
-for serving as pre-release testers, and for finding and fixing many
-bugs (some of them at the last minute!).
+Please report any problems/bugs/comments using the krb5-send-pr
+program. The krb5-send-pr program will be installed in the sbin
+directory once you have successfully compiled and installed Kerberos
+V5 (or if you have installed one of our binary distributions).
-Thanks to Cybersafe for providing patches to fix bugs with inter-realm
-authentication.
+If you are not able to use krb5-send-pr because you haven't been able
+compile and install Kerberos V5 on any platform, you may send mail to
+krb5-bugs@mit.edu.
-Thanks to Ari Medivnsky and Cliff Neumann for writing a ksu client.
+You may view bug reports by visiting
-Thanks to Jim Miller from Suite Software for contributing many detailed
-bug reports, most of them by doing desk checks over the code!
+http://krbdev.mit.edu/rt/
-Thanks to Prasad Upasani from ISI for porting the Berkeley
-rlogin/rsh/rcp suite and for testing out our distribution on the Sun.
+and logging in as "guest" with password "guest".
-Thanks to Glenn Machin and Bill Wrahe from Sandia National Labs for
-contributing the kadmin server, plus lots of bugfixes.
+DES transition
+--------------
-Thanks to Bill Sommerfeld from HP for commenting on early Kerberos
-interface drafts, suggesting improvements in later coding interfaces,
-and finding and fixing many bugs.
+The Data Encryption Standard (DES) is widely recognized as weak. The
+krb5-1.7 release contains measures to encourage sites to migrate away
+from using single-DES cryptosystems. Among these is a configuration
+variable that enables "weak" enctypes, which defaults to "false"
+beginning with krb5-1.8.
-Thanks to Paul Borman from Cray for writing the Kerberos v4 to v5 glue
-layer and the Kerberos v5 subroutines for telnet.
+Major changes in 1.9
+--------------------
-Thanks to Dan Bernstein, for providing the replay cache code.
+Code quality:
-Thanks to the members of the Kerberos V5 development team at MIT, both
-past and present: Jay Berkenbilt, John Carr, Don Davis, Nancy Gilman,
-Barry Jaspan, John Kohl, Cliff Neuman, Jon Rochlis, Jeff Schiller, Ted
-Ts'o, Tom Yu.
+* Python-based testing framework
+* DAL cleanup
+Developer experience:
-Note:
+* NSS crypto back end
+* PRNG modularity
+* Fortuna-like PRNG
-Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, and
-Zephyr are trademarks of the Massachusetts Institute of Technology (MIT). No
-commercial use of these trademarks may be made without prior written
-permission of MIT.
-
-FYI, "commercial use" means use of a name in a product or other for-profit
-manner. It does NOT prevent a commercial firm from referring to the MIT
-trademarks in order to convey information (although in doing so, recognition
-of their trademark status should be given).
+Performance:
+
+* Account lockout performance improvements
+
+Administrator experience:
+
+* Trace logging
+* Plugin interface for password sync
+* Plugin interface for password quality checks
+* Configuration file validator
+* KDC support for SecurID preauthentication
+
+Protocol evolution:
+
+* IAKERB
+* Camellia encryption (experimental; disabled by default)
+
+krb5-1.9 changes by ticket ID
+-----------------------------
+
+1219 mechanism to delete old keys should exist
+2032 No advanced warning of password expiry
+5014 kadmin (and other utilities) should report enctypes as it takes them
+6647 Memory leak in kdc
+6672 Python test framework
+6679 Lazy history key creation
+6684 Simple kinit verbosity patch
+6686 IPv6 support for kprop and kpropd
+6688 mit-krb5-1.7 fails to compile against openssl-1.0.0
+6699 Validate and renew should work on non-TGT creds
+6700 Introduce new krb5_tkt_creds API
+6712 Add IAKERB mechanism and gss_acquire_cred_with_password
+6714 [patch] fix format errors in krb5-1.8.1
+6715 cksum_body exports
+6719 Add lockout-related performance tuning variables
+6720 Negative enctypes improperly read from keytabs
+6723 Negative enctypes improperly read from ccaches
+6733 Make signedpath authdata visible via GSS naming exts
+6736 Add krb5_enctype_to_name() API
+6737 Trace logging
+6746 Make kadmin work over IPv6
+6749 DAL improvements
+6753 Fix XDR decoding of large values in xdr_u_int
+6755 Add GIC option for password/account expiration callback
+6758 Allow krb5_gss_register_acceptor_identity to unset keytab name
+6760 Fail properly when profile can't be accessed
+6761 add profile include support
+6762 key expiration computed incorrectly in libkdb_ldap
+6763 New plugin infrastructure
+6765 Password quality pluggable interface
+6769 clean up memory leak and potential unused variable in crypto tests
+6771 Fix memory leaks in kdb5_verify
+6772 Ensure valid key in krb5int_yarrow_cipher_encrypt_block
+6774 pkinit client cert matching can be disrupted by one of the
+ candidate certs
+6775 pkinit <KU> evaluation during certificate matching may fail
+6776 Typos in src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+6777 Segmentation fault in krb library (sn2princ.c) if realm not resolved
+6778 kdb: store mkey list in context and permit NULL mkey for
+ kdb_dbe_decrypt_key_data
+6779 kinit: add KDB keytab support
+6783 KDC worker processes feature
+6784 relicense Sun RPC to 3-clause BSD-style
+6785 Add gss_krb5_import_cred
+6786 kpasswd: if a credential cache is present, use FAST
+6787 S4U memory leak
+6791 kadm5_hook: new plugin interface
+6792 Implement k5login_directory and k5login_authoritative options
+6793 acquire_init_cred leaks interned name
+6795 Propagate modprinc -unlock from master to slave KDCs
+6796 segfault due to uninitialized variable in S4U
+6799 Performance issue in LDAP policy fetch
+6801 Fix leaks in get_init_creds interface
+6802 copyright notice updates
+6804 Remove KDC replay cache
+6805 securID code fixes
+6806 securID error handling fix
+6807 SecurID build support
+6809 gss_krb5int_make_seal_token_v3_iov fails to set conf_state
+6810 Better libk5crypto NSS fork safety
+6811 Mark Camellia-CCM code as experimental
+6812 krb5_get_credentials should not fail due to inability to store
+ a credential in a cache
+6815 Failed kdb5_util load removes real database
+6819 Handle referral realm in kprop client principal
+6820 Read KDC profile settings in kpropd
+6822 Implement Camellia-CTS-CMAC instead of Camellia-CCM
+6823 getdate.y: declare yyparse
+6824 Export krb5_tkt_creds_get
+6825 Add missing KRB5_CALLCONV in callback declaration
+6826 Fix Windows build
+6827 SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others)
+6828 Install kadm5_hook_plugin.h
+6829 Implement restrict_anonymous_to_tgt realm flag
+
+Acknowledgements
+----------------
+
+Past and present Sponsors of the MIT Kerberos Consortium:
+
+ Apple
+ Carnegie Mellon University
+ Centrify Corporation
+ Columbia University
+ Cornell University
+ The Department of Defense of the United States of America (DoD)
+ Google
+ Iowa State University
+ MIT
+ Michigan State University
+ Microsoft
+ The National Aeronautics and Space Administration
+ of the United States of America (NASA)
+ Network Appliance (NetApp)
+ Nippon Telephone and Telegraph (NTT)
+ Oracle
+ Pennsylvania State University
+ Red Hat
+ Stanford University
+ TeamF1, Inc.
+ The University of Alaska
+ The University of Michigan
+ The University of Pennsylvania
+
+Past and present members of the Kerberos Team at MIT:
+
+ Danilo Almeida
+ Jeffrey Altman
+ Justin Anderson
+ Richard Basch
+ Mitch Berger
+ Jay Berkenbilt
+ Andrew Boardman
+ Bill Bryant
+ Steve Buckley
+ Joe Calzaretta
+ John Carr
+ Mark Colan
+ Don Davis
+ Alexandra Ellwood
+ Dan Geer
+ Nancy Gilman
+ Matt Hancher
+ Thomas Hardjono
+ Sam Hartman
+ Paul Hill
+ Marc Horowitz
+ Eva Jacobus
+ Miroslav Jurisic
+ Barry Jaspan
+ Geoffrey King
+ Kevin Koch
+ John Kohl
+ HaoQi Li
+ Peter Litwack
+ Scott McGuire
+ Steve Miller
+ Kevin Mitchell
+ Cliff Neuman
+ Paul Park
+ Ezra Peisach
+ Chris Provenzano
+ Ken Raeburn
+ Jon Rochlis
+ Jeff Schiller
+ Jen Selby
+ Robert Silk
+ Bill Sommerfeld
+ Jennifer Steiner
+ Ralph Swick
+ Brad Thompson
+ Harry Tsai
+ Zhanna Tsitkova
+ Ted Ts'o
+ Marshall Vale
+ Tom Yu
+
+The following external contributors have provided code, patches, bug
+reports, suggestions, and valuable resources:
+
+ Brandon Allbery
+ Russell Allbery
+ Brian Almeida
+ Michael B Allen
+ Derek Atkins
+ David Bantz
+ Alex Baule
+ Arlene Berry
+ Jeff Blaine
+ Radoslav Bodo
+ Emmanuel Bouillon
+ Michael Calmer
+ Ravi Channavajhala
+ Srinivas Cheruku
+ Leonardo Chiquitto
+ Howard Chu
+ Andrea Cirulli
+ Christopher D. Clausen
+ Kevin Coffman
+ Simon Cooper
+ Sylvain Cortes
+ Nalin Dahyabhai
+ Roland Dowdeswell
+ Jason Edgecombe
+ Mark Eichin
+ Shawn M. Emery
+ Douglas E. Engert
+ Peter Eriksson
+ Ronni Feldt
+ Bill Fellows
+ JC Ferguson
+ William Fiveash
+ Ákos Frohner
+ Marcus Granado
+ Scott Grizzard
+ Steve Grubb
+ Philip Guenther
+ Dominic Hargreaves
+ Jakob Haufe
+ Jeff Hodges
+ Love Hörnquist Åstrand
+ Ken Hornstein
+ Henry B. Hotz
+ Luke Howard
+ Jakub Hrozek
+ Shumon Huque
+ Jeffrey Hutzelman
+ Wyllys Ingersoll
+ Holger Isenberg
+ Pavel Jindra
+ Joel Johnson
+ Mikkel Kruse
+ Volker Lendecke
+ Jan iankko Lieskovsky
+ Ryan Lynch
+ Franklyn Mendez
+ Markus Moeller
+ Paul Moore
+ Zbysek Mraz
+ Edward Murrell
+ Nikos Nikoleris
+ Dmitri Pal
+ Javier Palacios
+ Ezra Peisach
+ W. Michael Petullo
+ Mark Phalan
+ Robert Relyea
+ Martin Rex
+ Jason Rogers
+ Mike Roszkowski
+ Guillaume Rousse
+ Tom Shaw
+ Peter Shoults
+ Simo Sorce
+ Michael Ströder
+ Bjørn Tore Sund
+ Rathor Vipin
+ Jorgen Wahlsten
+ Max (Weijun) Wang
+ John Washington
+ Marcus Watts
+ Simon Wilkinson
+ Nicolas Williams
+ Ross Wilper
+ Xu Qiang
+ Hanz van Zijst
+
+The above is not an exhaustive list; many others have contributed in
+various ways to the MIT Kerberos development effort over the years.
+Other acknowledgments (for bug reports and patches) are in the
+doc/CHANGES file.
projects / krb5.git / blobdiff