2 Kerberos Version 5, Release 1.2
5 which are be updated for the next release by
8 Unpacking the Source Distribution
9 ---------------------------------
11 The source distribution of Kerberos 5 comes in three gzipped tarfiles,
12 krb5-1.2.src.tar.gz, krb5-1.2.doc.tar.gz, and krb5-1.2.crypto.tar.gz.
13 The krb5-1.2.doc.tar.gz contains the doc/ directory and this README
14 file. The krb5-1.2.src.tar.gz contains the src/ directory and this
15 README file, except for the crypto library sources, which are in
16 krb5-1.2.crypto.tar.gz.
18 Instruction on how to extract the entire distribution follow. These
19 directions assume that you want to extract into a directory called
22 If you have the GNU tar program and gzip installed, you can simply do:
26 gtar zxpf krb5-1.2.src.tar.gz
27 gtar zxpf krb5-1.2.crypto.tar.gz
28 gtar zxpf krb5-1.2.doc.tar.gz
30 If you don't have GNU tar, you will need to get the FSF gzip
31 distribution and use gzcat:
35 gzcat krb5-1.2.src.tar.gz | tar xpf -
36 gzcat krb5-1.2.crypto.tar.gz | tar xpf -
37 gzcat krb5-1.2.doc.tar.gz | tar xpf -
39 Both of these methods will extract the sources into DIST/krb5-1.2/src
40 and the documentation into DIST/krb5-1.2/doc.
42 Building and Installing Kerberos 5
43 ----------------------------------
45 The first file you should look at is doc/install-guide.ps; it contains
46 the notes for building and installing Kerberos 5. The info file
47 krb5-install.info has the same information in info file format. You
48 can view this using the GNU emacs info-mode, or by using the
49 standalone info file viewer from the Free Software Foundation. This
50 is also available as an HTML file, install.html.
52 Other good files to look at are admin-guide.ps and user-guide.ps,
53 which contain the system administrator's guide, and the user's guide,
54 respectively. They are also available as info files
55 kerberos-admin.info and krb5-user.info, respectively. These files are
56 also available as HTML files.
58 If you are attempting to build under Windows, please see the
59 src/windows/README file.
64 Please report any problems/bugs/comments using the krb5-send-pr
65 program. The krb5-send-pr program will be installed in the sbin
66 directory once you have successfully compiled and installed Kerberos
67 V5 (or if you have installed one of our binary distributions).
69 If you are not able to use krb5-send-pr because you haven't been able
70 compile and install Kerberos V5 on any platform, you may send mail to
73 Notes, Major Changes, and Known Bugs for 1.3
74 ------------------------------------
76 * We now install the compile_et program, so other packages can use the
77 installed com_err library with their own error tables.
79 * The header files we install now assume ANSI/ISO C ('89, not '99).
80 If you're using a pre-ANSI system, like SunOS 4, try using gcc. In
81 fact, SunOS 4 with gcc is what we use at MIT as the oldest pre-POSIX
82 system we test against, and even that testing is fairly minimal.
84 * Some new code, bug fixes, and cleanup for IPv6 support. [[TODO:
85 Insert list of (non-)supporting programs and libraries here.]]
87 Notes, Major Changes, and Known Bugs for 1.2, delete before shipping 1.3
88 ------------------------------------
90 * Triple DES support, for session keys as well as user or service
91 keys, should be nearly complete in this release. Much of the work
92 that has been needed is generic multiple-cryptosystem support, so
93 the addition of another cryptosystem should be much easier.
95 * GSSAPI support for 3DES has been added. An Internet Draft is
96 being worked on that will describe how this works; it is not
97 currently standardized. Some backwards-compatibility issues in
98 this area mean that enabling 3DES support must be done with
99 caution; service keys that are used for GSSAPI must not be updated
100 to 3DES until the services themselves are upgraded to support 3DES
103 * DNS support for locating KDCs is enabled by default. DNS support
104 for looking up the realm of a host is compiled in but disabled by
105 default (due to some concerns with DNS spoofing).
107 We recommend that you publish your KDC information through DNS even
108 if you intend to rely on config files at your own site; otherwise,
109 sites that wish to communicate with you will have to keep their
110 config files updated with your information. One of the goals of
111 this code is to reduce the client-side configuration maintenance
112 requirements as much as is possible, without compromising security.
114 See the administrator's guide for information on setting up DNS
115 information for your realm.
117 One important effect of this for developers is that on many systems,
118 "-lresolv" must be added to the compiler command line when linking
121 Configure-time options are available to control the inclusion of the
122 DNS code and the setting of the defaults. Entries in krb5.conf will
123 also modify the behavior if the code has been compiled in.
125 * Numerous buffer-overrun problems have been found and fixed. Many of
126 these were in locations we don't expect can be exploited in any
127 useful way (for example, overrunning a buffer of MAXPATHLEN bytes if
128 a compiled-in pathname is too long, in a program that has no special
129 privileges). It may be possible to exploit a few of these to
130 compromise system security.
132 * Partial support for IPv6 addresses has been added. It can be
133 enabled or disabled at configure time with --enable-ipv6 or
134 --disable-ipv6; by default, the configure script will search for
135 certain types and macros, and enable the IPv6 code if they're found.
136 The IPv6 support at this time mostly consists of including the
137 addresses in credentials.
139 * A protocol change has been made to the "rcmd" suite (rlogin, rsh,
140 rcp) to address several security problems described in Kris
141 Hildrum's paper presented at NDSS 2000. New command-line options
142 have been added to control the selection of protocol, since the
143 revised protocol is not compatible with the old one.
145 * A security problem in login.krb5 has been fixed. This problem was
146 only present if the krb4 compatibility code was not compiled in.
148 * A security problem with ftpd has been fixed. An error in the in the
149 yacc grammar permitted potential root access.
151 * The client programs kinit, klist and kdestroy have been changed to
152 incorporate krb4 support. New command-line options control whether
153 krb4 behavior, krb5 behavior, or both are used.
155 * Patches from Frank Cusack for much better hardware preauth support
156 have been incorporated.
158 * Patches from Matt Crawford extend the kadmin ACL syntax so that
159 restrictions can be imposed on what certain administrators may do to
162 * A KDC on a host with multiple network addresses will now respond to
163 a client from the address that the client used to contact it. The
164 means used to implement this will however cause the KDC not to
165 listen on network addresses configured after the KDC has started.
170 * New software using com_err should use the {add,remove}_error_table
171 interface rather than init_XXX_error_table; in fact, the latter
172 function in the generate C files will now call add_error_table
173 instead of messing with unprotected global variables.
175 Karl Ramm has offered to look into reconciling the various
176 extensions and changes that have been made in different versions of
177 the MIT library, and the API used in the Heimdal equivalent. No
178 timeline is set for this work.
180 * Some source files (including some header files we install) now have
181 annotations for use with the LCLint package from the University of
182 Virginia. LCLint, as of version 2.5q, is not capable of handling
183 much of the Kerberos code in its current form, at least not without
184 significantly restructuring the Kerberos code, but it has been used
185 in limited cases and has uncovered some bugs. We may try adding
186 more annotations in the future.
188 Minor changes for 1.2, delete this section before shipping 1.3
191 * The shell code for searching for the Tcl package at configure time
192 has been modified. If a tclConfig.sh can be found, the information
193 it contains is used, otherwise the old searching method is tried.
194 Let us know if this new scheme causes any problems.
196 * Shared library builds may work on HPUX, Rhapsody/MacOS X, and newer
199 * The Windows build will now include kvno and gss-sample.
201 * The routine krb5_secure_config_files has been disabled. A new
202 routine, krb5_init_secure_context, has been added in its place.
204 * The routine decode_krb5_ticket is now being exported as
205 krb5_decode_ticket. Any programs that used the old name (which
206 should be few) should be changed to use the new name; we will
207 probably eliminate the old name in the future.
209 * The CCAPI-based credentials cache code has been changed to store the
210 local-clock time of issue and expiration rather than the KDC-clock
213 * On systems with large numbers of IP addresses, "kinit" should do a
214 better job of acquiring those addresses to put in the user's
217 * Several memory leaks in error cases in the gssrpc code have been
220 * A bug with login clobbering some internal static storage on AIX has
223 * Per-library initialization and cleanup functions have been added,
224 for use in configurations that dynamically load and unload these
227 * Many compile-time warnings have been fixed.
229 * The GSS sample programs have been updated to exercise more of the
232 * The telnet server should produce a more meaningful error message if
233 authentication is required but not provided.
235 * Changes have been made to ksu to make it more difficult to use it to
236 leak information the user does not have access to.
238 * The sample config file information for the CYGNUS.COM realm has been
239 updated, and the GNU.ORG realm has been added.
241 * A configure-time option has been added to enable a replay cache in
242 the KDC. We recommend its use when hardware preauthentication is
243 being used. It is enabled by default, and can be disabled if
244 desired with the configure-time option --disable-kdc-replay-cache.
246 * Some new routines have been added to the library and krb5.h.
248 * A new routine has been added to the prompter interface to allow the
249 application to determine which of the strings prompted for is the
250 user's password, in case it is needed for other purposes.
252 * The remote kadmin interface has been enhanced to support the
253 specification of key/salt types for a principal.
255 * New keytab entries' key values can now be specified manually with a
256 new command in the ktutil program.
258 * A longstanding bug where certain krb4 exchanges using the
259 compatibility library between systems with different byte orders
260 would fail half the time has been fixed.
262 * A source file under the GPL has been replaced with an equivalent
263 under the BSD license. The file, strftime.c, was part of one of the
264 OpenVision admin system applications, and was only used on systems
265 that don't have strftime() in their C libraries.
267 * Many bug reports are still outstanding in our database. We are
268 continuing to work on this backlog.
271 Copyright Notice and Legal Administrivia
272 ----------------------------------------
274 Copyright (C) 1985-2000 by the Massachusetts Institute of Technology.
278 Export of this software from the United States of America may require
279 a specific license from the United States Government. It is the
280 responsibility of any person or organization contemplating export to
281 obtain such a license before exporting.
283 WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
284 distribute this software and its documentation for any purpose and
285 without fee is hereby granted, provided that the above copyright
286 notice appear in all copies and that both that copyright notice and
287 this permission notice appear in supporting documentation, and that
288 the name of M.I.T. not be used in advertising or publicity pertaining
289 to distribution of the software without specific, written prior
290 permission. Furthermore if you modify this software you must label
291 your software as modified software and not distribute it in such a
292 fashion that it might be confused with the original MIT software.
293 M.I.T. makes no representations about the suitability of this software
294 for any purpose. It is provided "as is" without express or implied
297 THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
298 IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
299 WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
301 Individual source code files are copyright MIT, Cygnus Support,
302 OpenVision, Oracle, Sun Soft, FundsXpress, and others.
304 Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira,
305 and Zephyr are trademarks of the Massachusetts Institute of Technology
306 (MIT). No commercial use of these trademarks may be made without
307 prior written permission of MIT.
309 "Commercial use" means use of a name in a product or other for-profit
310 manner. It does NOT prevent a commercial firm from referring to the
311 MIT trademarks in order to convey information (although in doing so,
312 recognition of their trademark status should be given).
316 The following copyright and permission notice applies to the
317 OpenVision Kerberos Administration system located in kadmin/create,
318 kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions
321 Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved
323 WARNING: Retrieving the OpenVision Kerberos Administration system
324 source code, as described below, indicates your acceptance of the
325 following terms. If you do not agree to the following terms, do not
326 retrieve the OpenVision Kerberos administration system.
328 You may freely use and distribute the Source Code and Object Code
329 compiled from it, with or without modification, but this Source
330 Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY,
331 INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR
332 FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER
333 EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY
334 FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF
335 SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR
336 CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING,
337 WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE
338 CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY
341 OpenVision retains all copyrights in the donated Source Code. OpenVision
342 also retains copyright to derivative works of the Source Code, whether
343 created by OpenVision or by a third party. The OpenVision copyright
344 notice must be preserved if derivative works are made based on the
347 OpenVision Technologies, Inc. has donated this Kerberos
348 Administration system to MIT for inclusion in the standard
349 Kerberos 5 distribution. This donation underscores our
350 commitment to continuing Kerberos technology development
351 and our gratitude for the valuable work which has been
352 performed by MIT and the Kerberos community.
356 Portions contributed by Matt Crawford <crawdad@fnal.gov> were
357 work performed at Fermi National Accelerator Laboratory, which is
358 operated by Universities Research Association, Inc., under
359 contract DE-AC02-76CHO3000 with the U.S. Department of Energy.
361 ---- The implementation of the Yarrow pseudo-random number generator
362 in src/lib/crypto/yarrow has the following copyright:
364 Copyright 2000 by Zero-Knowledge Systems, Inc.
366 Permission to use, copy, modify, distribute, and sell this software
367 and its documentation for any purpose is hereby granted without fee,
368 provided that the above copyright notice appear in all copies and that
369 both that copyright notice and this permission notice appear in
370 supporting documentation, and that the name of Zero-Knowledge Systems,
371 Inc. not be used in advertising or publicity pertaining to
372 distribution of the software without specific, written prior
373 permission. Zero-Knowledge Systems, Inc. makes no representations
374 about the suitability of this software for any purpose. It is
375 provided "as is" without express or implied warranty.
377 ZERO-KNOWLEDGE SYSTEMS, INC. DISCLAIMS ALL WARRANTIES WITH REGARD TO
378 THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
379 FITNESS, IN NO EVENT SHALL ZERO-KNOWLEDGE SYSTEMS, INC. BE LIABLE FOR
380 ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
381 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
382 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT
383 OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
390 Appreciation Time!!!! There are far too many people to try to thank
391 them all; many people have contributed to the development of Kerberos
392 V5. This is only a partial listing....
394 Thanks to Paul Vixie and the Internet Software Consortium for funding
395 the work of Barry Jaspan. This funding was invaluable for the OV
396 administration server integration, as well as the 1.0 release
399 Thanks to John Linn, Scott Foote, and all of the folks at OpenVision
400 Technologies, Inc., who donated their administration server for use in
401 the MIT release of Kerberos.
403 Thanks to Jeff Bigler, Mark Eichin, Marc Horowitz, Nancy Gilman, Ken
404 Raeburn, and all of the folks at Cygnus Support, who provided
405 innumerable bug fixes and portability enhancements to the Kerberos V5
406 tree. Thanks especially to Jeff Bigler, for the new user and system
407 administrator's documentation.
409 Thanks to Doug Engert from ANL for providing many bug fixes, as well
410 as testing to ensure DCE interoperability.
412 Thanks to Ken Hornstein at NRL for providing many bug fixes and
415 Thanks to Matt Crawford at FNAL for bugfixes and enhancements.
417 Thanks to Sean Mullan and Bill Sommerfeld from Hewlett Packard for
418 their many suggestions and bug fixes.
420 Thanks to Nalin Dahyabhai of RedHat and Chris Evans for locating and
421 providing patches for numerous buffer overruns.
423 Thanks to Christopher Thompson and Marcus Watts for discovering the
426 Thanks to the members of the Kerberos V5 development team at MIT, both
427 past and present: Danilo Almeida, Jay Berkenbilt, Richard Basch, John
428 Carr, Don Davis, Alexandra Ellwood, Nancy Gilman, Matt Hancher, Sam
429 Hartman, Paul Hill, Marc Horowitz, Eva Jacobus, Miroslav Jurisic,
430 Barry Jaspan, Geoffrey King, John Kohl, Peter Litwack, Scott McGuire,
431 Kevin Mitchell, Cliff Neuman, Paul Park, Ezra Peisach, Chris
432 Provenzano, Ken Raeburn, Jon Rochlis, Jeff Schiller, Brad Thompson,
433 Harry Tsai, Ted Ts'o, Marshall Vale, Tom Yu.