1 Kerberos Version 5, Release 1.10
6 Copyright and Other Notices
7 ---------------------------
9 Copyright (C) 1985-2011 by the Massachusetts Institute of Technology
10 and its contributors. All rights reserved.
12 Please see the file named NOTICE for additional notices.
14 MIT Kerberos is a project of the MIT Kerberos Consortium. For more
15 information about the Kerberos Consortium, see http://kerberos.org/
17 For more information about the MIT Kerberos software, see
18 http://web.mit.edu/kerberos/
20 People interested in participating in the MIT Kerberos development
21 effort should visit http://k5wiki.kerberos.org/
23 Building and Installing Kerberos 5
24 ----------------------------------
26 The first file you should look at is doc/install-guide.ps; it contains
27 the notes for building and installing Kerberos 5. The info file
28 krb5-install.info has the same information in info file format. You
29 can view this using the GNU emacs info-mode, or by using the
30 standalone info file viewer from the Free Software Foundation. This
31 is also available as an HTML file, install.html.
33 Other good files to look at are admin-guide.ps and user-guide.ps,
34 which contain the system administrator's guide, and the user's guide,
35 respectively. They are also available as info files
36 kerberos-admin.info and krb5-user.info, respectively. These files are
37 also available as HTML files.
39 If you are attempting to build under Windows, please see the
40 src/windows/README file.
45 Please report any problems/bugs/comments using the krb5-send-pr
46 program. The krb5-send-pr program will be installed in the sbin
47 directory once you have successfully compiled and installed Kerberos
48 V5 (or if you have installed one of our binary distributions).
50 If you are not able to use krb5-send-pr because you haven't been able
51 compile and install Kerberos V5 on any platform, you may send mail to
54 Please keep in mind that unencrypted e-mail is not secure. If you need
55 to report a security vulnerability, or send sensitive information,
56 please PGP-encrypt it to krbcore-security@mit.edu.
58 You may view bug reports by visiting
60 http://krbdev.mit.edu/rt/
62 and logging in as "guest" with password "guest".
67 The Data Encryption Standard (DES) is widely recognized as weak. The
68 krb5-1.7 release contains measures to encourage sites to migrate away
69 from using single-DES cryptosystems. Among these is a configuration
70 variable that enables "weak" enctypes, which defaults to "false"
71 beginning with krb5-1.8.
76 Additional background information on these changes may be found at
78 http://k5wiki.kerberos.org/wiki/Release_1.10
82 http://k5wiki.kerberos.org/wiki/Category:Release_1.10_projects
86 * Fix MITKRB5-SA-2011-006 KDC denial of service vulnerabilities
87 [CVE-2011-1527 CVE-2011-1528 CVE-2011-1529].
89 * Update the Fortuna implementation to more accurately implement the
90 description in _Cryptography Engineering_, and make it the default
93 * Add an alternative PRNG that relies on the OS native PRNG.
97 * Add the ability for GSSAPI servers to use any keytab key for a
98 specified service, if the server specifies a host-based name with no
101 * In the build system, identify the source files needed for
102 per-message processing within a kernel and ensure that they remain
105 * Allow rd_safe and rd_priv to ignore the remote address.
107 * Rework KDC and kadmind networking code to use an event loop
110 Administrator experience:
112 * Add more complete support for renaming principals.
114 * Add the profile variable ignore_acceptor_hostname in libdefaults. If
115 set, GSSAPI will ignore the hostname component of acceptor names
116 supplied by the server, allowing any keytab key matching the service
119 * Add support for string attributes on principal entries.
121 * Allow password changes to work over NATs.
125 * Add the DIR credential cache type, which can hold a collection of
128 * Enhance kinit, klist, and kdestroy to support credential cache
129 collections if the cache type supports it.
131 * Add the kswitch command, which changes the selected default cache
134 * Add heuristic support for choosing client credentials based on the
137 * Add support for $HOME/.k5identity, which allows credential choice
138 based on configured rules.
140 * Add support for localization. (No translations are provided in this
141 release, but the infrastructure is present for redistributors to
144 krb5-1.10 changes by ticket ID
145 ------------------------------
147 6118 rename principals
148 6323 kadmin: rename support
149 6617 uninitialized values used in mkey-migration code
150 6732 checks for openpty() aren't made using -lutil
151 6770 kg_unseal leads to overlap of source and desitination in memcpy...
152 6813 memory leak in gss_accept_sec_context
153 6814 Improve kdb5_util load locking and recovery
154 6816 potential memory leak in spnego
155 6817 potential null dereference in gss mechglue
156 6835 accept_sec_context RFC4121 support bug in 1.8.3
157 6851 pkinit can't parse some valid cms messages
158 6854 kadmin's ktremove can remove wrong entries when removing kvno 0
159 6855 Improve acceptor name flexibility
160 6857 missing ifdefs around IPv6 code
161 6858 Assume ELF on FreeBSD if objformat doesn't exist
162 6863 memory leak on SPNEGO error path
163 6868 Defer hostname lookups in krb5_sendto_kdc
164 6872 Fix memory leak in t_expire_warn
165 6874 Fortuna as default PRNG
166 6878 Add test script for user2user programs
167 6887 Use first principal in keytab when verifying creds
168 6889 ftpd parses ftpusers entries that use "restrict" incorrectly
169 6890 Implement draft-josefsson-gss-capsulate
170 6891 Add gss_userok and gss_pname_to_uid
171 6892 Prevent bleed-through of mechglue symbols into loaded mechs
172 6893 error codes from error responses can be discarded when there's e-data
173 6894 More sensical mech selection for gss_acquire_cred/accept_sec_context
174 6895 gss_duplicate_name SPI for SPNEGO
175 6896 Allow anonymous name to be imported with empty name buffer
176 6897 Default principal name in the acceptor cred corresponds to
177 first entry in associated keytab.
178 6898 Set correct minor_status value in call to gss_display_status.
179 6902 S4U impersonated credential KRB5_CC_NOT_FOUND
180 6904 Install k5login(5) as well as .k5login(5)
181 6905 support poll() in sendto_kdc.c
183 6910 Account lockout policy parameters not documented
184 6911 Account lockout policy options time format
185 6914 krb5-1.9.1 static compile error +preliminary patch (fwd)
186 6915 klist -s trips over referral entries
187 6918 Localize user interface strings using gettext
188 6921 Convert preauth_plugin.h to new plugin framework
189 6922 Work around glibc getaddrinfo PTR lookups
190 6923 Use AI_ADDRCONFIG for more efficient getaddrinfo
191 6924 Fix multiple libkdb_ldap memory leaks
192 6927 chpass_util.c improvements
193 6928 use timegm() for krb5int_gmt_mktime() when available
194 6929 Pluggable configuration
195 6931 Add libedit/readline support to ss.
196 6933 blocking recv caused our server to hang
197 6934 don't require a default realm
198 6944 gss_acquire_cred erroneous failure and potential segfault for caller
199 6945 spnego_gss_acquire_cred_impersonate_name incorrect usage of
200 impersonator_cred_handle
201 6951 assertion failure when connections fail in service_fds()
202 6953 Add the DIR ccache type
203 6954 Add new cache collection APIs
204 6955 Remove unneeded cccol behaviors
205 6956 Add ccache collection support to tools
206 6957 Add krb5_cc_select() API and pluggable interface
207 6958 Make gss-krb5 use cache collection
208 6961 Support pkinit: SignedData with no signers (KDC)
209 6962 pkinit: client: Use SignedData for anonymous
210 6964 Support special salt type in default krb5_dbe_cpw.
211 6965 Remove CFLAGS and external deps from krb5-config --libs
212 6966 Eliminate domain-based client realm walk
213 6968 [PATCH] Man page fixes
214 6969 Create e_data as pa_data in KDC interfaces.
215 6971 Use type-safe callbacks in preauth interface
216 6974 Make krb5_pac_sign public
217 6975 Add PKINIT NSS support
218 6976 Hide gak_fct interface and arguments in clpreauth
219 6977 Install krb5/preauth_plugin.h
220 6978 Allow rd_priv/rd_safe without remote address
221 6979 Allow password changes over NATs
222 6980 Ensure termination in Windows vsnprintf wrapper
223 6981 SA-2011-006 KDC denial of service [CVE-2011-1527 CVE-2011-1528 CVE-2011-1529]
224 6987 Fix krb5_cc_set_config
225 6988 Fix handling of null edata method in KDC preauth
226 6989 fix tar invocation in mkrel
231 Past and present Sponsors of the MIT Kerberos Consortium:
234 Carnegie Mellon University
238 The Department of Defense of the United States of America (DoD)
241 Iowa State University
243 Michigan State University
245 The National Aeronautics and Space Administration
246 of the United States of America (NASA)
247 Network Appliance (NetApp)
248 Nippon Telephone and Telegraph (NTT)
250 Pennsylvania State University
254 The University of Alaska
255 The University of Michigan
256 The University of Pennsylvania
258 Past and present members of the Kerberos Team at MIT:
313 The following external contributors have provided code, patches, bug
314 reports, suggestions, and valuable resources:
335 Christopher D. Clausen
362 Love Hörnquist Åstrand
375 Jan iankko Lieskovsky
419 The above is not an exhaustive list; many others have contributed in
420 various ways to the MIT Kerberos development effort over the years.
421 Other acknowledgments (for bug reports and patches) are in the