these were the
- Kerberos Version 5, Release 1.1
+ Kerberos Version 5, Release 1.2
Release Notes
which will be updated before the next release by
---------------------------------
The source distribution of Kerberos 5 comes in three gzipped tarfiles,
-krb5-1.1.src.tar.gz, krb5-1.1.doc.tar.gz, and krb5-1.1.crypto.tar.gz.
-The krb5-1.1.doc.tar.gz contains the doc/ directory and this README
-file. The krb5-1.1.src.tar.gz contains the src/ directory and this
+krb5-1.2.src.tar.gz, krb5-1.2.doc.tar.gz, and krb5-1.2.crypto.tar.gz.
+The krb5-1.2.doc.tar.gz contains the doc/ directory and this README
+file. The krb5-1.2.src.tar.gz contains the src/ directory and this
README file, except for the crypto library sources, which are in
-krb5-1.1.crypto.tar.gz.
+krb5-1.2.crypto.tar.gz.
Instruction on how to extract the entire distribution follow. These
directions assume that you want to extract into a directory called
mkdir DIST
cd DIST
- gtar zxpf krb5-1.1.src.tar.gz
- gtar zxpf krb5-1.1.crypto.tar.gz
- gtar zxpf krb5-1.1.doc.tar.gz
+ gtar zxpf krb5-1.2.src.tar.gz
+ gtar zxpf krb5-1.2.crypto.tar.gz
+ gtar zxpf krb5-1.2.doc.tar.gz
If you don't have GNU tar, you will need to get the FSF gzip
distribution and use gzcat:
mkdir DIST
cd DIST
- gzcat krb5-1.1.src.tar.gz | tar xpf -
- gzcat krb5-1.1.crypto.tar.gz | tar xpf -
- gzcat krb5-1.1.doc.tar.gz | tar xpf -
+ gzcat krb5-1.2.src.tar.gz | tar xpf -
+ gzcat krb5-1.2.crypto.tar.gz | tar xpf -
+ gzcat krb5-1.2.doc.tar.gz | tar xpf -
-Both of these methods will extract the sources into DIST/krb5-1.1/src
-and the documentation into DIST/krb5-1.1/doc.
+Both of these methods will extract the sources into DIST/krb5-1.2/src
+and the documentation into DIST/krb5-1.2/doc.
Building and Installing Kerberos 5
----------------------------------
Notes, Major Changes, and Known Bugs
------------------------------------
-* Triple DES support is included; however, it is only usable for
- service keys at the moment, due to a large number of compatibility
- issues. For example, the GSSAPI library has some (buggy) support
- for a triple DES session key, but it is intentionally disabled.
- ** Do not use triple-DES in your config files except as described in
- ** the documentation.
-
-* The principal database now uses the btree backend of Berkeley DB.
- This should result in improved KDC performance.
-
-* The lib/rpc tests do not appear to work under NetBSD-1.4, for
- reasons that are not completely clear at the moment, but probably
- have something to do with portmapper interfacing. This should not
- affect other operations, such as kadmind operation.
-
-* Shared library builds are under a new framework; at this point only
- Solaris (2.x), Irix (6.5), NetBSD (1.4 i386), and possibly Linux are
- known to work. All other working shared library builds may be
- figments of your imagination.
-
-* Many existing databases, especially those converted from krb4
- original databases, may contain expiration dates in 1999. You
- should make sure to update these expiration dates, and also change
- any config file entries that have two-digit years.
-
-* Hardware preauthentication is known to be broken; this will be fixed
- in an upcoming release.
-
-* krb524d now defaults to forking into the background; use
- "krb524d -nofork" to avoid forking.
-
-* Not all reported bugs have been fixed in this release, due to time
- constraints. We are planning to make another release in the near
- future with more complete triple DES support, and additional
- bugfixes. Many of the bugs in our database are reported against
- what is now quite old code, or require hardware that we do not have,
- which make them difficult to reproduce and debug. We will work on
- these older bugs and some externally submitted patches for the
- following release.
+* Triple DES support, for session keys as well as user or service
+ keys, should be nearly complete in this release. Much of the work
+ that has been needed is generic multiple-cryptosystem support, so
+ the addition of another cryptosystem should be much easier.
+
+ * GSSAPI support for 3DES has been added. An Internet Draft is
+ being worked on that will describe how this works; it is not
+ currently standardized. Some backwards-compatibility issues in
+ this area mean that enabling 3DES support must be done with
+ caution; service keys that are used for GSSAPI must not be updated
+ to 3DES until the services themselves are upgraded to support 3DES
+ under GSSAPI.
+
+* DNS support for locating KDCs is enabled by default. DNS support
+ for looking up the realm of a host is compiled in but disabled by
+ default (due to some concerns with DNS spoofing).
+
+ We recommend that you publish your KDC information through DNS even
+ if you intend to rely on config files at your own site; otherwise,
+ sites that wish to communicate with you will have to keep their
+ config files updated with your information. One of the goals of
+ this code is to reduce the client-side configuration maintenance
+ requirements as much as is possible, without compromising security.
+
+ See the administrator's guide for information on setting up DNS
+ information for your realm.
+
+ One important effect of this for developers is that on many systems,
+ "-lresolv" must be added to the compiler command line when linking
+ Kerberos programs.
+
+ Configure-time options are available to control the inclusion of the
+ DNS code and the setting of the defaults. Entries in krb5.conf will
+ also modify the behavior if the code has been compiled in.
+
+* Numerous buffer-overrun problems have been found and fixed. Many of
+ these were in locations we don't expect can be exploited in any
+ useful way (for example, overrunning a buffer of MAXPATHLEN bytes if
+ a compiled-in pathname is too long, in a program that has no special
+ privileges). It may be possible to exploit a few of these to
+ compromise system security.
+
+* Partial support for IPv6 addresses has been added. It can be
+ enabled or disabled at configure time with --enable-ipv6 or
+ --disable-ipv6; by default, the configure script will search for
+ certain types and macros, and enable the IPv6 code if they're found.
+ The IPv6 support at this time mostly consists of including the
+ addresses in credentials.
+
+* A protocol change has been made to the "rcmd" suite (rlogin, rsh,
+ rcp) to address several security problems described in Kris
+ Hildrum's paper presented at NDSS 2000. New command-line options
+ have been added to control the selection of protocol, since the
+ revised protocol is not compatible with the old one.
+
+* A security problem in login.krb5 has been fixed. This problem was
+ only present if the krb4 compatibility code was not compiled in.
+
+* A security problem with ftpd has been fixed. An error in the in the
+ yacc grammar permitted potential root access.
+
+* The client programs kinit, klist and kdestroy have been changed to
+ incorporate krb4 support. New command-line options control whether
+ krb4 behavior, krb5 behavior, or both are used.
+
+* Patches from Frank Cusack for much better hardware preauth support
+ have been incorporated.
+
+* Patches from Matt Crawford extend the kadmin ACL syntax so that
+ restrictions can be imposed on what certain administrators may do to
+ certain accounts.
+
+* A KDC on a host with multiple network addresses will now respond to
+ a client from the address that the client used to contact it. The
+ means used to implement this will however cause the KDC not to
+ listen on network addresses configured after the KDC has started.
+
+Minor changes
+-------------
+
+* The shell code for searching for the Tcl package at configure time
+ has been modified. If a tclConfig.sh can be found, the information
+ it contains is used, otherwise the old searching method is tried.
+ Let us know if this new scheme causes any problems.
+
+* Shared library builds may work on HPUX, Rhapsody/MacOS X, and newer
+ Alpha systems now.
+
+* The Windows build will now include kvno and gss-sample.
+
+* The routine krb5_secure_config_files has been disabled. A new
+ routine, krb5_init_secure_context, has been added in its place.
+
+* The routine decode_krb5_ticket is now being exported as
+ krb5_decode_ticket. Any programs that used the old name (which
+ should be few) should be changed to use the new name; we will
+ probably eliminate the old name in the future.
+
+* The CCAPI-based credentials cache code has been changed to store the
+ local-clock time of issue and expiration rather than the KDC-clock
+ times.
+
+* On systems with large numbers of IP addresses, "kinit" should do a
+ better job of acquiring those addresses to put in the user's
+ credentials.
+
+* Several memory leaks in error cases in the gssrpc code have been
+ fixed.
+
+* A bug with login clobbering some internal static storage on AIX has
+ been fixed.
+
+* Per-library initialization and cleanup functions have been added,
+ for use in configurations that dynamically load and unload these
+ libraries.
+
+* Many compile-time warnings have been fixed.
+
+* The GSS sample programs have been updated to exercise more of the
+ API.
+
+* The telnet server should produce a more meaningful error message if
+ authentication is required but not provided.
+
+* Changes have been made to ksu to make it more difficult to use it to
+ leak information the user does not have access to.
+
+* The sample config file information for the CYGNUS.COM realm has been
+ updated, and the GNU.ORG realm has been added.
+
+* A configure-time option has been added to enable a replay cache in
+ the KDC. We recommend its use when hardware preauthentication is
+ being used. It is enabled by default, and can be disabled if
+ desired with the configure-time option --disable-kdc-replay-cache.
+
+* Some new routines have been added to the library and krb5.h.
+
+* A new routine has been added to the prompter interface to allow the
+ application to determine which of the strings prompted for is the
+ user's password, in case it is needed for other purposes.
+
+* The remote kadmin interface has been enhanced to support the
+ specification of key/salt types for a principal.
+
+* New keytab entries' key values can now be specified manually with a
+ new command in the ktutil program.
+
+* A longstanding bug where certain krb4 exchanges using the
+ compatibility library between systems with different byte orders
+ would fail half the time has been fixed.
+
+* A source file under the GPL has been replaced with an equivalent
+ under the BSD license. The file, strftime.c, was part of one of the
+ OpenVision admin system applications, and was only used on systems
+ that don't have strftime() in their C libraries.
+
+* Many bug reports are still outstanding in our database. We are
+ continuing to work on this backlog.
+
Copyright Notice and Legal Administrivia
----------------------------------------
-Copyright (C) 1985-1999 by the Massachusetts Institute of Technology.
+Copyright (C) 1985-2000 by the Massachusetts Institute of Technology.
All rights reserved.
MIT trademarks in order to convey information (although in doing so,
recognition of their trademark status should be given).
+----
+
The following copyright and permission notice applies to the
OpenVision Kerberos Administration system located in kadmin/create,
kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions
and our gratitude for the valuable work which has been
performed by MIT and the Kerberos community.
+----
+
+ Portions contributed by Matt Crawford <crawdad@fnal.gov> were
+ work performed at Fermi National Accelerator Laboratory, which is
+ operated by Universities Research Association, Inc., under
+ contract DE-AC02-76CHO3000 with the U.S. Department of Energy.
+
Acknowledgements
----------------
Thanks to Ken Hornstein at NRL for providing many bug fixes and
suggestions.
+Thanks to Matt Crawford at FNAL for bugfixes and enhancements.
+
Thanks to Sean Mullan and Bill Sommerfeld from Hewlett Packard for
their many suggestions and bug fixes.
+Thanks to Nalin Dahyabhai of RedHat and Chris Evans for locating and
+providing patches for numerous buffer overruns.
+
+Thanks to Christopher Thompson and Marcus Watts for discovering the
+ftpd security bug.
+
Thanks to the members of the Kerberos V5 development team at MIT, both
past and present: Danillo Almeida, Jay Berkenbilt, Richard Basch, John
Carr, Don Davis, Alexandra Ellwood, Nancy Gilman, Matt Hancher, Sam
-Hartman, Paul Hill, Marc Horowitz, Eva Jacobus, Barry Jaspan, Geoffrey
-King, John Kohl, Scott McGuire, Kevin Mitchell, Cliff Neuman, Paul
-Park, Ezra Peisach, Chris Provenzano, Ken Raeburn, Jon Rochlis, Jeff
-Schiller, Brad Thompson, Harry Tsai, Ted Ts'o, Marshall Vale, Tom Yu.
+Hartman, Paul Hill, Marc Horowitz, Eva Jacobus, Miroslav Jurisic,
+Barry Jaspan, Geoffrey King, John Kohl, Peter Litwack, Scott McGuire,
+Kevin Mitchell, Cliff Neuman, Paul Park, Ezra Peisach, Chris
+Provenzano, Ken Raeburn, Jon Rochlis, Jeff Schiller, Brad Thompson,
+Harry Tsai, Ted Ts'o, Marshall Vale, Tom Yu.
+2000-06-30 Ken Raeburn <raeburn@mit.edu>
+
+ * admin.texinfo (Kerberos V5 Database Library Error Codes):
+ Replace RCS Id strings with comments indicating that the RCS Id
+ string of the error table is used.
+
+2000-06-22 Tom Yu <tlyu@mit.edu>
+
+ * build.texinfo (HPUX): Update note for HPUX compiler flags.
+ (Shared Library Support): Update shared lib support info.
+
2000-06-16 Ken Raeburn <raeburn@mit.edu>
* admin.texinfo: Update descriptions to indicate full support for
@include definitions.texinfo
@set EDITION 1.0
-@set UPDATED November 27, 1996
+@set UPDATED June 16, 2000
@finalout @c don't print black warning boxes
@item
KRB5PLACEHOLD_127: KRB5 error code 127
@item
-KRB5_ERR_RCSID: $Id$
+KRB5_ERR_RCSID: (RCS Id string for the krb5 error table)
@item
KRB5_LIBOS_BADLOCKFLAG: Invalid flag for file lock mode
@item
@c error table numbering starts at 0
@enumerate 0
@item
-KRB5_KDB_RCSID: $Id$
+KRB5_KDB_RCSID: (RCS Id string for the kdb error table)
@item
KRB5_KDB_INUSE: Entry already exists in database
@item
+2000-06-22 Ken Raeburn <raeburn@mit.edu>
+
+ * Makefile (lib1.stamp): Use texindex instead of index.
+
1999-08-30 Ken Raeburn <raeburn@mit.edu>
* libdes.tex: Don't use ncs style; it's availability is dependent
lib1.stamp: $(LIBTEX) $(STYLES)
touch library.ind
latex library
- index library.idx
+ texindex library.idx
date > lib1.stamp
.tex.dvi:
of the libraries may be installed on the same system and continue to
work.
-Currently the supported platforms are
-@comment NetBSD 1.0A, AIX 3.2.5, AIX 4.1,
-Solaris 2.6 (aka SunOS 5.6) and Irix 6.5.
-@comment Alpha OSF/1 >= 2.1, HP-UX >= 9.X.
+Currently the supported platforms are Solaris 2.6 (aka SunOS 5.6) and Irix 6.5.
+
+Shared library support has been tested on the following platforms but
+not exhaustively (they have been built but not necessarily tested in an
+installed state): Tru64 (aka Alpha OSF/1 or Digital Unix) 4.0, NetBSD
+1.4.x (i386), and HP/UX 10.20.
+
+Platforms for which there is shared library support but not significant
+testing include FreeBSD, OpenBSD, MacOS 10, AIX, Linux, and SunOS 4.x.
To enable shared libraries on the above platforms, run the configure
script with the option @samp{--enable-shared}.
The native (bundled) compiler for HPUX currently will not work, because
it is not a full ANSI C compiler. The optional compiler (c89) should
-work as long as you give it the @samp{+Olibcalls -D_HPUX_SOURCE} (this
-has only been tested for HPUX 9.0). At this point, using GCC is
-probably your best bet.
+work as long as you give it the @samp{-D_HPUX_SOURCE} flag
+(i.e. @samp{./configure --with-cc='c89 -D_HPUX_SOURCE'}). This has only
+been tested recently for HPUX 10.20.
@node Solaris versions 2.0 through 2.3, Solaris 2.X, HPUX, OS Incompatibilities
@subsection Solaris versions 2.0 through 2.3
+2000-06-30 Tom Yu <tlyu@mit.edu>
+
+ * aclocal.m4 (CC_LINK_STATIC): Another fix for freebsd shared libs
+ from David Cross.
+
+2000-06-30 Ken Raeburn <raeburn@mit.edu>
+
+ * aclocal.m4 (KRB5_AC_ENABLE_DNS): Rewrite to fix logic. Now
+ --enable-dns-for-XX really will be heeded for setting default
+ behavior. Also, DNS support can now be compiled in while still
+ turned off by default. Print out whether the DNS support will be
+ compiled in.
+
+2000-06-30 Tom Yu <tlyu@mit.edu>
+
+ * aclocal.m4: Fix freebsd CC_LINK_SHARED to have correct rpath
+ flags. Thanks to David Cross.
+
2000-06-23 Ken Raeburn <raeburn@mit.edu>
* aclocal.m4 (KRB5_LIB_PARAMS): Don't need to display "checking"
PICFLAGS=-fpic
if test "x$objformat" = "xelf" ; then
SHLIBVEXT='.so.$(LIBMAJOR)'
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) -Wl,-rpath -Wl,-R$(PROG_RPATH)'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) -Wl,-rpath -Wl,$(PROG_RPATH)'
else
SHLIBVEXT='.so.$(LIBMAJOR).$(LIBMINOR)'
CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) -R$(PROG_RPATH)'
dnl KRB5_AC_ENABLE_DNS
dnl
AC_DEFUN(KRB5_AC_ENABLE_DNS, [
- enable_dns_for_kdc=yes
- enable_dns_for_realm=no
+AC_MSG_CHECKING(if DNS Kerberos lookup support should be compiled in)
AC_ARG_ENABLE([dns],
-[ --enable-dns enable DNS lookups of Kerberos realm and servers],
-[enable_dns_for_kdc="$enable_dns"
-enable_dns_for_realm="$enable_dns"],
-[enable_dns=no])
- if test "$enable_dns" = yes; then
- AC_DEFINE(KRB5_DNS_LOOKUP)
- fi
+[ --enable-dns build in support for Kerberos-related DNS lookups], ,
+[enable_dns=default])
AC_ARG_ENABLE([dns-for-kdc],
-[ --enable-dns-for-kdc enable DNS lookups of Kerberos servers only])
+[ --enable-dns-for-kdc enable DNS lookups of Kerberos KDCs (default=YES)], ,
+[case "$enable_dns" in
+ yes | no) enable_dns_for_kdc=$enable_dns ;;
+ *) enable_dns_for_kdc=yes ;;
+esac])
if test "$enable_dns_for_kdc" = yes; then
AC_DEFINE(KRB5_DNS_LOOKUP_KDC)
fi
AC_ARG_ENABLE([dns-for-realm],
-[ --enable-dns-for-realm enable DNS lookups of Kerberos realm names only])
+[ --enable-dns-for-realm enable DNS lookups of Kerberos realm names], ,
+[case "$enable_dns" in
+ yes | no) enable_dns_for_realm=$enable_dns ;;
+ *) enable_dns_for_realm=no ;;
+esac])
if test "$enable_dns_for_realm" = yes; then
AC_DEFINE(KRB5_DNS_LOOKUP_REALM)
fi
- if test "$enable_dns_for_kdc" = yes || test "$enable_dns_for_realm" = yes ; then
+ if test "$enable_dns_for_kdc,$enable_dns_for_realm" != no,no
+ then
+ # must compile in the support code
+ if test "$enable_dns" = no ; then
+ AC_MSG_ERROR(cannot both enable some DNS options and disable DNS support)
+ fi
enable_dns=yes
+ fi
+ if test "$enable_dns" = yes ; then
AC_DEFINE(KRB5_DNS_LOOKUP)
+ else
+ enable_dns=no
fi
+
+AC_MSG_RESULT($enable_dns)
+dnl AC_MSG_CHECKING(if DNS should be used to find KDCs by default)
+dnl AC_MSG_RESULT($enable_dns_for_kdc)
+dnl AC_MSG_CHECKING(if DNS should be used to find realm name by default)
+dnl AC_MSG_RESULT($enable_dns_for_realm)
+
])
+2000-06-29 Ken Raeburn <raeburn@mit.edu>
+
+ Patch from Donn Cave and Leonard Peirce from 1.1 release cycle:
+ * login.c (k_init): Call krb5_cc_set_default_name right after
+ setting the environment variable.
+ (main): Likewise.
+
+2000-06-23 Ken Raeburn <raeburn@mit.edu>
+
+ * rcp.M, rsh.M, rlogin.M: Add description of new -PO, -PN
+ options.
+
2000-06-19 Tom Yu <tlyu@mit.edu>
* krshd.c (recvauth): Call krb5_recvauth_version() rather than
if (!getenv(KRB5_ENV_CCNAME)) {
sprintf(ccfile, "FILE:/tmp/krb5cc_p%d", getpid());
setenv(KRB5_ENV_CCNAME, ccfile, 1);
+ krb5_cc_set_default_name(kcontext, ccfile);
unlink(ccfile+strlen("FILE:"));
} else {
/* note it correctly */
#ifdef KRB5_GET_TICKETS
/* ccfile[0] is only set if we got tickets above */
- if (login_krb5_get_tickets && ccfile[0])
+ if (login_krb5_get_tickets && ccfile[0]) {
(void) setenv(KRB5_ENV_CCNAME, ccfile, 1);
+ krb5_cc_set_default_name(kcontext, ccfile);
+ }
#endif /* KRB5_GET_TICKETS */
if (tty[sizeof("tty")-1] == 'd')
.B rcp
[\fB\-p\fP] [\fB\-x\fP] [\fB\-k\fP \fIrealm\fP ] [\fB\-D\fP \fIport\fP]
[\fB\-N\fP]
+[\fB\-PN | \-PO\fP]
.I file1 file2
.sp
.B rcp
[\fB\-p\fB] [\fB\-x\fP] [\fP\-k\fP \fIrealm\fP] [\fB\-r\fP] [\fB\-D\fP
\fIport\fP] [\fB\-N\fP]
+[\fB\-PN | \-PO\fP]
.I file ... directory
.SH DESCRIPTION
.B Rcp
if any of the source files are directories, copy each subtree rooted at
that name; in this case the destination must be a directory.
.TP
+\fB-PN\fP
+.TP
+\fB-PO\fP
+Explicitly request new or old version of the Kerberos ``rcmd''
+protocol. The new protocol avoids many security problems found in the
+old one, but is not interoperable with older servers. (An
+"input/output error" and a closed connection is the most likely result
+of attempting this combination.) If neither option is specified, some
+simple heuristics are used to guess which to try.
+.TP
\fB\-D\fP \fIport\fP
connect to port
.I port
.I rhost
[\fB\-e\fP\fI\|c\fP] [\fB\-8\fP] [\fB\-c\fP] [ \fB\-a\fP] [\fB\-f\fP]
[\fB\-F\fP] [\fB\-t\fP \fItermtype\fP] [\fB\-n\fP] [\fB\-7\fP]
+[\fB\-PN | \-PO\fP]
[\fB\-d\fP] [\fB\-k\fP \fIrealm\fP] [\fB\-x\fP] [\fB\-L\fP] [\fB\-l\fP
\fIusername\fP]
.PP
turn on DES encryption for all data passed via the rlogin session. This
significantly reduces response time and significantly increases CPU
utilization.
+.TP
+\fB-PN\fP
+.TP
+\fB-PO\fP
+Explicitly request new or old version of the Kerberos ``rcmd''
+protocol. The new protocol avoids many security problems found in the
+old one, but is not interoperable with older servers. (An
+"input/output error" and a closed connection is the most likely result
+of attempting this combination.) If neither option is specified, some
+simple heuristics are used to guess which to try.
.SH SEE ALSO
rsh(1), kerberos(3), krb_sendauth(3), krb_realmofhost(3), rlogin(1) [UCB
version]
.I host
[\fB\-l\fP \fIusername\fP] [\fB\-n\fP] [\fB\-d\fP] [\fB\-k\fP
\fIrealm\fP] [\fB\-f\fP | \fB\-F\fP] [\fB\-x\fP]
+[\fB\-PN | \-PO\fP]
.I command
.SH DESCRIPTION
.B Rsh
redirects input from the special device
.I /dev/null
(see the BUGS section below).
+.TP
+\fB-PN\fP
+.TP
+\fB-PO\fP
+Explicitly request new or old version of the Kerberos ``rcmd''
+protocol. The new protocol avoids many security problems found in the
+old one, but is not interoperable with older servers. (An
+"input/output error" and a closed connection is the most likely result
+of attempting this combination.) If neither option is specified, some
+simple heuristics are used to guess which to try.
.PP
If you omit
.IR command ,
+2000-06-30 Danilo Almeida <dalmeida@mit.edu>
+
+ * win-pre.in: Fix up DNS build flags to correspond to new DNS
+ build flags. Add support for not using wshelper.
+
2000-06-30 Tom Yu <tlyu@mit.edu>
* pre.in: Twiddle things around to support building libdb under
srcdir = .
SRCTOP = $(srcdir)\$(BUILDTOP)
-!if defined(KRB5_USE_DNS)
+!if defined(KRB5_USE_DNS) || defined(KRB5_USE_DNS_KDC) || defined(KRB5_USE_DNS_REALMS)
+!if defined(KRB5_NO_WSHELPER)
+DNSMSG=resolver
+!else
+DNSMSG=wshelper
+DNSFLAGS=-DWSHELPER=1
+!endif
!if !defined(DNS_INC)
-!message Must define DNS_INC to point to wshelper includes dir!
+!message Must define DNS_INC to point to $(DNSMSG) includes dir!
!error
!endif
!if !defined(DNS_LIB)
-!message Must define DNS_LIB to point to wshelper library!
+!message Must define DNS_LIB to point to $(DNSMSG) library!
!error
!endif
DNSLIBS=$(DNS_LIB)
-DNSFLAGS=-I$(DNS_INC) -DKRB5_DNS_LOOKUP -DWSHELPER
+DNSFLAGS=-I$(DNS_INC) $(DNSFLAGS) -DKRB5_DNS_LOOKUP=1
+!if defined(KRB5_USE_DNS_KDC)
+DNSFLAGS=$(DNSFLAGS) -DKRB5_DNS_LOOKUP_KDC=1
+!endif
+!if defined(KRB5_USE_DNS_REALMS)
+DNSFLAGS=$(DNSFLAGS) -DKRB5_DNS_LOOKUP_REALMS=1
+!endif
!else
DNSLIBS=
DNSFLAGS=
+2000-06-30 Tom Yu <tlyu@mit.edu>
+
+ * server_stubs.c: Kludge to rename xdr_free() properly.
+
2000-06-29 Tom Yu <tlyu@mit.edu>
* schpw.c (process_chpw_request): Add new argument to call to
#include <syslog.h>
#include "misc.h"
+#define xdr_free gssrpc_xdr_free /* XXX kludge */
+
#define LOG_UNAUTH "Unauthorized request: %s, %s, client=%s, service=%s, addr=%s"
#define LOG_DONE "Request: %s, %s, %s, client=%s, service=%s, addr=%s"
+2000-06-27 Tom Yu <tlyu@mit.edu>
+
+ * init_sec_context.c (get_credentials): Add initial iteration of
+ krb5_get_credentials in order to differentiate between an actual
+ missing credential and merely a bad match based on enctype. This
+ was causing problems with kadmin.
+
2000-06-09 Tom Yu <tlyu@mit.edu>
Ken Raeburn <raeburn@mit.edu>
#include <stdlib.h>
#include <assert.h>
+/*
+ * $Id$
+ */
+
/* XXX This is for debugging only!!! Should become a real bitfield
at some point */
int krb5_gss_dbg_client_expcreds = 0;
in_creds.keyblock.enctype = 0;
+ /*
+ * Initial iteration is necessary to catch a non-matching
+ * credential prior to looping through the GSSAPI-supported
+ * enctypes, since an enctype mismatch in the loop below will
+ * return KRB5_CC_NOTFOUND rather than one of the other error
+ * codes.
+ */
+ code = krb5_get_credentials(context, 0, cred->ccache,
+ &in_creds, out_creds);
+ if (code)
+ goto cleanup;
+ krb5_free_creds(context, *out_creds);
+ *out_creds = NULL;
for (i = 0; enctypes[i]; i++) {
in_creds.keyblock.enctype = enctypes[i];
code = krb5_get_credentials(context, 0, cred->ccache,
&in_creds, out_creds);
- if (code != KRB5_CC_NOT_KTYPE && code != KRB5KDC_ERR_ETYPE_NOSUPP)
+ if (code != KRB5_CC_NOT_KTYPE && code != KRB5_CC_NOTFOUND
+ && code != KRB5KDC_ERR_ETYPE_NOSUPP)
break;
}
if (enctypes[i] == 0) {
+2000-06-30 Tom Yu <tlyu@mit.edu>
+
+ * conv_princ.c (krb5_425_conv_principal): NULL, not nil.
+
+2000-06-30 Miro Jurisic <meeroh@mit.edu>
+
+ * conv_princ.c (krb5_425_conv_principal): Fixed a memory leak
+
2000-06-29 Ezra Peisach <epeisach@engrailed.mit.edu>
* t_walk_rtree.c (main): Declare as returning int.
} else if ((retval == 0) && (realm_name == NULL)) {
break;
}
+ if (realm_name != NULL) {
+ profile_release_string (realm_name);
+ realm_name = NULL;
+ }
+ if (dummy_value != NULL) {
+ profile_release_string (dummy_value);
+ dummy_value = NULL;
+ }
}
if (instance) {
+2000-06-21 Tom Yu <tlyu@mit.edu>
+
+ * svc_auth_gssapi.c (_svcauth_gssapi): Missed a rename. From
+ Nathan Neulinger.
+
2000-05-31 Ken Raeburn <raeburn@mit.edu>
* pmap_rmt.c (GIFCONF_BUFSIZE): New macro.
&call_arg)) {
PRINTF(("svcauth_gssapi: cannot decode args\n"));
LOG_MISCERR("protocol error in call arguments");
- xdr_free(xdr_authgssapi_init_arg, &call_arg);
+ gssrpc_xdr_free(xdr_authgssapi_init_arg, &call_arg);
ret = AUTH_BADCRED;
goto error;
}
+2000-06-30 Tom Yu <tlyu@mit.edu>
+
+ * server.c: Include gssrpc/pmap_clnt.h in order to get renaming of
+ pmap_unset(). From Nathan Neulinger.
+
2000-06-30 Ken Raeburn <raeburn@mit.edu>
* rpc_test_setup.sh: Error out if server_handle doesn't get set in
#include <string.h>
#include <signal.h>
#include <gssrpc/rpc.h>
+#include <gssrpc/pmap_clnt.h>
#include <arpa/inet.h> /* inet_ntoa */
#include <gssapi/gssapi.h>
#include <gssapi/gssapi_generic.h>
+2000-06-21 Danilo Almeida <dalmeida@mit.edu>
+
+ * README: Update documentation with DNS information. Fix up the
+ language a bit.
+
2000-04-25 Danilo Almeida <dalmeida@mit.edu>
* version.rc: Bump version to 1.2 beta.
Building & Running Kerberos 5 on Windows
----------------------------------------
-Kerberos 5 Windows support now only includes Win32 and no longer
-includes Win16.
+Kerberos 5 builds on Windows with MSVC++ 6.0. It may or may not build
+with other compilers or make utilities.
-We build Kerberos 5 on Windows just with MSVC++ 6.0. You should
-not need anything else. We do not know whether it currently
-builds with other compilers or make utilities.
-
-These build instructions assume that you got a standalong source
-distribution of Kerberos 5 rather than the MIT Kerberos for Win32
+These build instructions assume that you have the standalone source
+distribution of Kerberos 5 rather than the MIT Kerberos for Windows
distribution (which includes a working Kerberos 4).
There are two methods for building a Windows version of Kerberos 5.
The traditional method involves starting on a Unix machine and
creating a distribution that can be built on Windows. The second
method works from the sources that come from the Unix distribution if
-you have certain Unix-type utilities.
+you have certain Unix-type utilities (see below).
-IMPORTANT NOTE: By default, the sources are build with debug
+IMPORTANT NOTE: By default, the sources are built with debug
information and linked against the debug version of the Microsoft C
-Runtime library, which is not found on most Win32 systems unless they
-have development tools. To build a release version, you need to
+Runtime library, which is not found on most Windows systems unless
+they have development tools. To build a release version, you need to
define NODEBUG either in the environment or the nmake command-line.
+DNS Support: To support DNS lookups, you will need to define
+KRB5_DNS_LOOKUP, KRB5_DNS_LOOKUP_KDC, or KRB5_DNS_LOOKUP_REALMS. The
+DNS code will default to trying to use the wshelper library. If you
+would rather use a resolver library whose include files more closely
+match the Unix resolver library, define KRB5_NO_WSHELPER. You will
+also need to define DNS_INC to point to the include directory for the
+library and DNS_LIB to library itself. The default is not to support
+DNS because the build cannot know whether there is a DNS resolver
+library around for it to use.
+
Traditional Build Method:
------------------------
On the PC side
-1) md \krb5 # Create where we'll put the tree
+1) md \krb5 # Create dir where we'll put the tree
2) cd \krb5
3) unzip kerbsrc.zip
- or -
pkunzip -d kerbsrc.zip
-4) nmake [NODEBUG=1] # Build the sources
-5) nmake install [NODEBUG=1] # Copy headers, libs, executables
+4) nmake [NODEBUG=1] [DNS-options] # Build the sources
+5) nmake install [NODEBUG=1] # Copy headers, libs, executables
All-Windows Build Method:
1) cd xxx/src # Go to where the source lives
2) nmake -f Makefile.in prep-windows # Create Makefile for Windows
-3) nmake [NODEBUG=1] # Build the sources
-4) nmake install [NODEBUG=1] # Copy headers, libs, executables
+3) nmake [NODEBUG=1] [DNS-options # Build the sources
+4) nmake install [NODEBUG=1] # Copy headers, libs, executables
Notes on the install Target:
will not look for the krb5.ini file in your path.
-Krb5.ini File:
+krb5.ini File:
-------------
WARNING: Despite its name, this is not a Windows .ini file.
The krb4_32.dll that is built (but not installed) is not supported.
If you need Kerberos 4, you can use the krbv4w32.dll that MIT
-distributes as part of the MIT Kerberos for Win32 distribution.
+distributes as part of the MIT Kerberos for Windows distribution.
More Information:
projects / krb5.git / commitdiff