1 Kerberos Version 5, Release 1.3
6 Unpacking the Source Distribution
7 ---------------------------------
9 The source distribution of Kerberos 5 comes in a gzipped tarfile,
10 krb5-1.3.tar.gz. Instructions on how to extract the entire
13 If you have the GNU tar program and gzip installed, you can simply do:
15 gtar zxpf krb5-1.3.tar.gz
17 If you don't have GNU tar, you will need to get the FSF gzip
18 distribution and use gzcat:
20 gzcat krb5-1.3.tar.gz | tar xpf -
22 Both of these methods will extract the sources into krb5-1.3/src and
23 the documentation into krb5-1.3/doc.
25 Building and Installing Kerberos 5
26 ----------------------------------
28 The first file you should look at is doc/install-guide.ps; it contains
29 the notes for building and installing Kerberos 5. The info file
30 krb5-install.info has the same information in info file format. You
31 can view this using the GNU emacs info-mode, or by using the
32 standalone info file viewer from the Free Software Foundation. This
33 is also available as an HTML file, install.html.
35 Other good files to look at are admin-guide.ps and user-guide.ps,
36 which contain the system administrator's guide, and the user's guide,
37 respectively. They are also available as info files
38 kerberos-admin.info and krb5-user.info, respectively. These files are
39 also available as HTML files.
41 If you are attempting to build under Windows, please see the
42 src/windows/README file.
47 Please report any problems/bugs/comments using the krb5-send-pr
48 program. The krb5-send-pr program will be installed in the sbin
49 directory once you have successfully compiled and installed Kerberos
50 V5 (or if you have installed one of our binary distributions).
52 If you are not able to use krb5-send-pr because you haven't been able
53 compile and install Kerberos V5 on any platform, you may send mail to
56 You may view bug reports by visiting
58 http://krbdev.mit.edu/rt/
60 and logging in as "guest" with password "guest".
62 Notes, Major Changes, and Known Bugs for 1.3
63 --------------------------------------------
65 * We now install the compile_et program, so other packages can use the
66 installed com_err library with their own error tables. (If you use
67 our com_err code, that is; see below.)
69 * The header files we install now assume ANSI/ISO C ('89, not '99).
70 We have stopped testing on SunOS 4, even with gcc. Some of our code
71 now has C89-based assumptions, like free(NULL) being well defined,
72 that will probably frustrate any attempts to run this code under SunOS
73 4 or other pre-C89 systems.
75 * Some new code, bug fixes, and cleanup for IPv6 support. [[TODO:
76 Insert list of (non-)supporting programs and libraries here.]]
78 * We have upgraded to autoconf 2.52 (or later), and the syntax for
79 specifying certain configuration options have changed. For example,
80 autoconf 2.52 configure scripts let you specify command-line options
81 like "configure CC=/some/path/foo-cc", so we have removed some of
82 our old options like --with-cc in favor of this approach.
84 * The client libraries can now use TCP to connect to the KDC. This
85 may be necessary when talking to Microsoft KDCs (domain controllers),
86 if they issue you tickets with lots of PAC data.
88 * If you have versions of the com_err, ss, or Berkeley DB packages
89 installed locally, you can use the --with-system-et,
90 --with-system-ss, and --with-system-db configure options to use them
91 rather than using the versions supplied here. Note that the
92 interfaces are assumed to be similar to those we supply; in
93 particular, some older, divergent versions of the com_err library
94 may not work with the krb5 sources. Many configure-time variables
95 can be used to help the compiler and linker find the installed
96 packages; see the build documentation for details.
98 Major changes listed by ticket ID
99 ---------------------------------
101 * [492] PRNG breakage on 64-bit platforms no longer an issue due to
102 new PRNG implementation.
104 * [523] Client library is now compatible with the RC4-based
105 cryptosystem used by Windows 2000.
107 * [709] krb4 long lifetime support has been implemented.
109 * [880] krb5_gss_register_acceptor_identity() implemented (is called
110 gsskrb5_register_acceptor_identity() by Heimdal).
112 * [1156, 1209] It is now possible to use the system com_err to build
115 * [1174] TCP support added to client library.
117 * [1175] TCP support added to the KDC, but is disabled by default.
119 * [1176] autoconf-2.5x is now required by the build system.
121 * [1184] It is now possible to use the system Berkeley/Sleepycat DB
122 library to build this release.
124 * [1189, 1251] The KfM krb4 library source base has been merged.
126 * [1385, 1395, 1410] The krb4 protocol vulnerabilities
127 [MITKRB5-SA-2003-004] have been worked around. Note that this will
128 disable krb4 cross-realm functionality, as well as krb4 triple-DES
129 functionality. Please see doc/krb4-xrealm.txt for details of the
132 * [1393] The xdrmem integer overflows [MITKRB5-SA-2003-003] have
135 * [1397] The krb5_principal buffer bounds problems
136 [MITKRB5-SA-2003-005] have been fixed. Thanks to Nalin Dahyabhai.
138 Minor changes listed by ticket ID
139 ---------------------------------
141 * [90] default_principal_flags documented.
143 * [175] Docs refer to appropriate example domains/IPs now.
145 * [433] --includedir honored now.
147 * [479] unused argument in try_krb4() in login.c deleted.
149 * [608] login.krb5 handles SIGHUP more sanely now and thus avoids
150 getting the session into a weird state w.r.t. job control.
152 * [620] krb4 encrypted rcp should work a little better now. Thanks to
155 * [673] Weird echoing of admin password in kadmin client worked around
156 by not using buffered stdio calls to read passwords.
158 * [677] The build system has been reworked to allow the user to set
159 CFLAGS, LDFLAGS, CPPFLAGS, etc. reasonably.
161 * [680] Related to [673], rewrite krb5_prompter_posix() to no longer
162 use longjmp(), thus avoiding some bugs relating to non-restoration
163 of terminal settings.
165 * [697] login.krb5 no longer zeroes out the terminal window size.
167 * [710] decomp_ticket() in libkrb4 now looks up the local realm name
168 more correctly. Thanks to Booker Bense.
170 * [771] .rconf files are excluded from the release now.
172 * [772] LOG_AUTHPRIV syslog facility is now usable for logging on
173 systems that support it.
175 * [844] krshd now syslogs using the LOG_AUTH facility.
177 * [850] Berekely DB build is better integrated into the krb5 library
180 * [866] lib/krb5/os/localaddr.c and kdc/network.c use a common source
181 for local address enumeration now.
183 * [919] kdc/network.c problems relating to SIOCGIFCONF have been
186 * [922] An overflow in the string-to-time conversion routines has been
189 * [935] des-cbc-md4 now included in default enctypes.
191 * [953] des3 no longer failing on Windows due to SHA1 implementation
194 * [970] A minor inconsistency in ccache.tex has been fixed.
196 * [971] option parsing bugs rendered irrelevant by removal of unused
199 * [986] Related to [677], problems with the ordering of LDFLAGS
200 initialization rendered irrelevant by use of native autoconf
203 * [992] Related to [677], quirks with --with-cc no longer relevant as
204 AC_PROG_CC is used instead now.
206 * [999] kdc_default_options now honored in gss context initialization.
208 * [1006] Client library, as well as KDC, now perform reasonable
209 sorting of ETYPE-INFO preauthentication data.
211 * [1055] NULL pointer dereferences in code calling
212 krb5_change_password() have been fixed.
214 * [1063] Initial credentials acquisition failures related to client
215 host having a large number of local network interfaces should be
218 * [1064] krb5_auth_con_genaddrs() no longer inappropriately returns -1
221 * [1065, 1225] krb5_get_init_creds_password() should properly warn about
224 * [1066] printf() argument mismatches in rpc unit tests fixed.
226 * [1087] ftpd no longer requires channel bindings, allowing easier use
227 of ftp from behind a NAT.
229 * [1102] gssapi_generic.h should now work with C++.
231 * [1164] krb5_auth_con_gen_addrs() now properly returns errno instead
232 of -1 if getpeername() fails.
234 * [1178, 1228, 1244, 1246, 1249] Test suite has been stabilized
237 * [1188] As part of the modernization of our usage of autoconf,
238 AC_CONFIG_FILES is now used instead of passing a list of files to
241 * [1194] configure will no longer recurse out of the top of the source
242 tree when attempting to locate the top of the source tree.
244 * [1195] Example krb5.conf file modified to include all enctypes
245 supported by the release.
247 * [1211] The ASN.1 code no longer passes (harmless) uninitialized
250 * [1212] libkadm5 now allows for persistent exclusive database locks.
252 * [1217] krb5_read_password() and des_read_password() are now
253 implemented via krb5_prompter_posix().
255 * [1224] For SAM challenges, omitted optional strings are no longer
256 encoded as zero-length strings.
258 * [1226] Client-side support for SAM hardware-based preauth
261 * [1232] If the master KDC cannot be resolved, but a slave is
262 reachable, the client library now returns the real error from the
263 slave rather than the resolution failure from the master. Thanks to
266 * [1234] Assigned numbers for SAM preauth have been corrected.
267 sam-pk-for-sad implementation has been aligned.
269 * [1237] Profile-sharing optimizations from KfM have been merged.
271 * [1240] Windows calling conventions for krb5int_c_combine_keys() have
274 * [1256] Incorrect sizes passed to memset() in combine_keys()
275 operations have been corrected.
277 * [1260] Client credential lookup now gets new service tickets in
278 preference to attempting to use expired ticketes. Thanks to Ben
281 * [1284] kshd accepts connections by IPv6 now.
283 * [1292] kvno manpage title fixed.
285 * [1293] Source files no longer explicitly attempt to declare errno.
287 * [1304] kadmind4 no longer leaves sa_flags uninitialized.
289 * [1309] krb5_send_tgs() no longer leaks the storage associated with
292 * [1310] kadm5_get_either() no longer leaks regexp library memory.
294 * [1311] Output from krb5-config no longer contains spurious uses of
297 * [1324] The KDC no longer logs an inappropriate "no matching key"
298 error when an encrypted timestamp preauth password is incorrect.
300 * [1342] gawk is no longer required for building kerbsrc.zip for the
303 * [1346] gss_krb5_ccache_name() no longer attempts to return a pointer
306 * [1352] GSS_C_PROT_READY_FLAG is no longer asserted inappropriately
307 during GSSAPI context establishment.
309 * [1356] krb5_gss_accept_sec_context() no longer attempts to validate
310 a null credential if one is passed in.
312 * [1362] The "-a user" option to telnetd now does the right thing.
313 Thanks to Nathan Neulinger.
315 * [1363] ksu no longer inappropriately syslogs to stderr.
317 * [1357] krb__get_srvtab_name() no longer leaks memory.
319 * [1373] Handling of SAM preauth no longer attempts to stuff a size_t
320 into an unsigned int.
322 * [1387] BIND versions later than 8 now supported.
324 * [1392] The getaddrinfo() wrapper should work better on AIX.
326 * [1400] If DO_TIME is not set in the auth_context, and no replay
327 cache is available, no replay cache will be used.
329 * [1406] libdb is no longer installed. If you installed
330 krb5-1.3-alpha1, you should ensure that no spurious libdb is left in
333 * [1412] ETYPE_INFO handling no longer goes into an infinite loop.
335 * [1414] libtelnet is now built using the same library build framework
336 as the rest of the tree.
338 --[ DELETE BEFORE RELEASE ---changes to unreleased code, etc.--- ]--
340 * [1054] KRB-CRED messages for RC4 are encrypted now.
342 * [1177] krb5-1-2-2-branch merged onto trunk.
344 * [1193] Punted comment about reworking key storage architecture.
346 * [1208] install-headers target implemented.
348 * [1223] asn1_decode_oid, asn1_encode_oid implemented
350 * [1276] Generated dependencies handle --without-krb4 properly now.
352 * [1384, 1413] Use of autoconf-2.52 in util/reconf will now cause a
355 * [1388] DNS support is turned on in KfM.
357 * [1391] Fix kadmind startup failure with krb4 vuln patch.
359 Copyright Notice and Legal Administrivia
360 ----------------------------------------
362 Copyright (C) 1985-2003 by the Massachusetts Institute of Technology.
366 Export of this software from the United States of America may require
367 a specific license from the United States Government. It is the
368 responsibility of any person or organization contemplating export to
369 obtain such a license before exporting.
371 WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
372 distribute this software and its documentation for any purpose and
373 without fee is hereby granted, provided that the above copyright
374 notice appear in all copies and that both that copyright notice and
375 this permission notice appear in supporting documentation, and that
376 the name of M.I.T. not be used in advertising or publicity pertaining
377 to distribution of the software without specific, written prior
378 permission. Furthermore if you modify this software you must label
379 your software as modified software and not distribute it in such a
380 fashion that it might be confused with the original MIT software.
381 M.I.T. makes no representations about the suitability of this software
382 for any purpose. It is provided "as is" without express or implied
385 THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
386 IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
387 WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
389 Individual source code files are copyright MIT, Cygnus Support,
390 OpenVision, Oracle, Sun Soft, FundsXpress, and others.
392 Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira,
393 and Zephyr are trademarks of the Massachusetts Institute of Technology
394 (MIT). No commercial use of these trademarks may be made without
395 prior written permission of MIT.
397 "Commercial use" means use of a name in a product or other for-profit
398 manner. It does NOT prevent a commercial firm from referring to the
399 MIT trademarks in order to convey information (although in doing so,
400 recognition of their trademark status should be given).
404 The following copyright and permission notice applies to the
405 OpenVision Kerberos Administration system located in kadmin/create,
406 kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions
409 Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved
411 WARNING: Retrieving the OpenVision Kerberos Administration system
412 source code, as described below, indicates your acceptance of the
413 following terms. If you do not agree to the following terms, do not
414 retrieve the OpenVision Kerberos administration system.
416 You may freely use and distribute the Source Code and Object Code
417 compiled from it, with or without modification, but this Source
418 Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY,
419 INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR
420 FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER
421 EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY
422 FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF
423 SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR
424 CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING,
425 WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE
426 CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY
429 OpenVision retains all copyrights in the donated Source Code. OpenVision
430 also retains copyright to derivative works of the Source Code, whether
431 created by OpenVision or by a third party. The OpenVision copyright
432 notice must be preserved if derivative works are made based on the
435 OpenVision Technologies, Inc. has donated this Kerberos
436 Administration system to MIT for inclusion in the standard
437 Kerberos 5 distribution. This donation underscores our
438 commitment to continuing Kerberos technology development
439 and our gratitude for the valuable work which has been
440 performed by MIT and the Kerberos community.
444 Portions contributed by Matt Crawford <crawdad@fnal.gov> were
445 work performed at Fermi National Accelerator Laboratory, which is
446 operated by Universities Research Association, Inc., under
447 contract DE-AC02-76CHO3000 with the U.S. Department of Energy.
449 ---- The implementation of the Yarrow pseudo-random number generator
450 in src/lib/crypto/yarrow has the following copyright:
452 Copyright 2000 by Zero-Knowledge Systems, Inc.
454 Permission to use, copy, modify, distribute, and sell this software
455 and its documentation for any purpose is hereby granted without fee,
456 provided that the above copyright notice appear in all copies and that
457 both that copyright notice and this permission notice appear in
458 supporting documentation, and that the name of Zero-Knowledge Systems,
459 Inc. not be used in advertising or publicity pertaining to
460 distribution of the software without specific, written prior
461 permission. Zero-Knowledge Systems, Inc. makes no representations
462 about the suitability of this software for any purpose. It is
463 provided "as is" without express or implied warranty.
465 ZERO-KNOWLEDGE SYSTEMS, INC. DISCLAIMS ALL WARRANTIES WITH REGARD TO
466 THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
467 FITNESS, IN NO EVENT SHALL ZERO-KNOWLEDGE SYSTEMS, INC. BE LIABLE FOR
468 ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
469 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
470 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT
471 OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
473 ---- The implementation of the AES encryption algorithm in
474 src/lib/crypto/aes has the following copyright:
476 Copyright (c) 2001, Dr Brian Gladman <brg@gladman.uk.net>, Worcester, UK.
481 The free distribution and use of this software in both source and binary
482 form is allowed (with or without changes) provided that:
484 1. distributions of this source code include the above copyright
485 notice, this list of conditions and the following disclaimer;
487 2. distributions in binary form include the above copyright
488 notice, this list of conditions and the following disclaimer
489 in the documentation and/or other associated materials;
491 3. the copyright holder's name is not used to endorse products
492 built using this software without specific written permission.
496 This software is provided 'as is' with no explcit or implied warranties
497 in respect of any properties, including, but not limited to, correctness
498 and fitness for purpose.
505 Appreciation Time!!!! There are far too many people to try to thank
506 them all; many people have contributed to the development of Kerberos
507 V5. This is only a partial listing....
509 Thanks to Paul Vixie and the Internet Software Consortium for funding
510 the work of Barry Jaspan. This funding was invaluable for the OV
511 administration server integration, as well as the 1.0 release
514 Thanks to John Linn, Scott Foote, and all of the folks at OpenVision
515 Technologies, Inc., who donated their administration server for use in
516 the MIT release of Kerberos.
518 Thanks to Jeff Bigler, Mark Eichin, Marc Horowitz, Nancy Gilman, Ken
519 Raeburn, and all of the folks at Cygnus Support, who provided
520 innumerable bug fixes and portability enhancements to the Kerberos V5
521 tree. Thanks especially to Jeff Bigler, for the new user and system
522 administrator's documentation.
524 Thanks to Doug Engert from ANL for providing many bug fixes, as well
525 as testing to ensure DCE interoperability.
527 Thanks to Ken Hornstein at NRL for providing many bug fixes and
528 suggestions, and for working on SAM preauthentication.
530 Thanks to Matt Crawford at FNAL for bugfixes and enhancements.
532 Thanks to Sean Mullan and Bill Sommerfeld from Hewlett Packard for
533 their many suggestions and bug fixes.
535 Thanks to Nalin Dahyabhai of RedHat and Chris Evans for locating and
536 providing patches for numerous buffer overruns.
538 Thanks to Christopher Thompson and Marcus Watts for discovering the
541 Thanks to Paul Nelson of Thursby Software Systems for implementing the
542 Microsoft set password protocol.
544 Thanks to the members of the Kerberos V5 development team at MIT, both
545 past and present: Danilo Almeida, Jay Berkenbilt, Richard Basch, Mitch
546 Berger, John Carr, Don Davis, Alexandra Ellwood, Nancy Gilman, Matt
547 Hancher, Sam Hartman, Paul Hill, Marc Horowitz, Eva Jacobus, Miroslav
548 Jurisic, Barry Jaspan, Geoffrey King, John Kohl, Peter Litwack, Scott
549 McGuire, Kevin Mitchell, Cliff Neuman, Paul Park, Ezra Peisach, Chris
550 Provenzano, Ken Raeburn, Jon Rochlis, Jeff Schiller, Jen Selby, Brad
551 Thompson, Harry Tsai, Ted Ts'o, Marshall Vale, Tom Yu.