Kerberos Version 5, Release 1.11
Release Notes
The MIT Kerberos Team
Copyright and Other Notices
---------------------------
Copyright (C) 1985-2013 by the Massachusetts Institute of Technology
and its contributors. All rights reserved.
Please see the file named NOTICE for additional notices.
Documentation
-------------
Unified documentation for Kerberos V5 is available in both HTML and
PDF formats. The table of contents of the HTML format documentation
is at doc/html/index.html, and the PDF format documentation is in the
doc/pdf directory.
Additionally, you may find copies of the HTML format documentation
online at
http://web.mit.edu/kerberos/krb5-latest/doc/
for the most recent supported release, or at
http://web.mit.edu/kerberos/krb5-devel/doc/
for the release under development.
More information about Kerberos may be found at
http://web.mit.edu/kerberos/
and at the MIT Kerberos Consortium web site
http://kerberos.org/
Building and Installing Kerberos 5
----------------------------------
Build documentation is in doc/html/build/index.html or
doc/pdf/build.pdf.
The installation guide is in doc/html/admin/install.html or
doc/pdf/install.pdf.
If you are attempting to build under Windows, please see the
src/windows/README file.
Reporting Bugs
--------------
Please report any problems/bugs/comments using the krb5-send-pr
program. The krb5-send-pr program will be installed in the sbin
directory once you have successfully compiled and installed Kerberos
V5 (or if you have installed one of our binary distributions).
If you are not able to use krb5-send-pr because you haven't been able
compile and install Kerberos V5 on any platform, you may send mail to
krb5-bugs@mit.edu.
You may view bug reports by visiting
http://krbdev.mit.edu/rt/
and logging in as "guest" with password "guest".
DES transition
--------------
The Data Encryption Standard (DES) is widely recognized as weak. The
krb5-1.7 release contains measures to encourage sites to migrate away
from using single-DES cryptosystems. Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.
Major changes in 1.11.3 (2013-06-03)
------------------------------------
* Fix a UDP ping-pong vulnerability in the kpasswd (password changing)
service. [CVE-2002-2443]
* Improve interoperability with some Windows native PKINIT clients.
krb5-1.11.3 changes by ticket ID
--------------------------------
7596 PKINIT should allow missing DH param Q
7602 allow dh_min_bits >= 1024
7605 Set msg_type when decoding FAST requests
7626 Rename internal Camellia symbols
7637 Fix kpasswd UDP ping-pong [CVE-2002-2443]
7639 Transited realm checks sometimes fail for GSSAPI
7640 Clarify that kdc.conf and krb5.conf are merged
7641 Clarify krb5_rd_req documentation
7644 Sphinx doc build leaves python bytecode (.pyc) in release tarball
7653 Document preauth flags for service principals
7654 Clarify retiring-des based on user feedback
7655 Clean up dangling antecedent in allow_weak_crypto
Major changes in 1.11.2 (2013-04-12)
------------------------------------
This is a bugfix release.
* Incremental propagation could erroneously act as if a slave's
database were current after the slave received a full dump that
failed to load.
* gss_import_sec_context incorrectly set internal state that
identifies whether an imported context is from an interposer
mechanism or from the underlying mechanism.
krb5-1.11.2 changes by ticket ID
--------------------------------
7530 iprop treats slave as current if full dump fails to load
7586 memory leak in lookup_etypes_for_keytab()
7587 Fix dependencies in tests/gssapi
7591 Fix condition with empty body
7592 gss_import_sec_context broken with interposer plugins
7594 Export verto_set_flags from libverto
7601 RST docs missing krb5-config man page
Major changes in 1.11.1 (2013-02-21)
------------------------------------
This is a bugfix release.
* Restore capability for multi-hop SAM-2 preauth exchanges, which
krb5-1.11 had inadvertently removed.
* Fix a null pointer dereference in the KDC PKINIT code
[CVE-2013-1415].
krb5-1.11.1 changes by ticket ID
--------------------------------
7458 add more strftime format strings for klist
7523 Fix gss_str_to_oid for OIDs with zero-valued arcs
7525 Fix DPRINT in ipropd_svc.c
7534 Minor pointer management patches
7539 Fix no_host_referral concatention in KDC
7548 Fix iprop safety net in kdb5_util load
7553 sendto_kdc can invoke poll with negative timeout
7557 Fix h1 end tag in Sphinx header titles
7558 Fix typos in layout.html
7559 Fix "search" accesskey in layout.html
7560 Fix kdb5_util dump.c uninitialized warnings
7561 kprop doesn't work with RC4 session key
7567 Fix RFC 5587 const pointer typedefs
7569 Convert success in krb5_chpw_result_code_string
7570 PKINIT null pointer deref [CVE-2013-1415]
7571 Allow multi-hop SAM-2 exchanges
7573 File descriptor leak in DIR ccaches
7574 Fix memory leak closing DIR ccaches
Major changes in 1.11 (2012-12-17)
----------------------------------
Additional background information on these changes may be found at
http://k5wiki.kerberos.org/wiki/Release_1.11
and
http://k5wiki.kerberos.org/wiki/Category:Release_1.11_projects
Code quality:
* Improve ASN.1 support code, making it table-driven for decoding as
well as encoding
* Refactor parts of KDC
Developer experience:
* Documentation consolidation
* Add a new API krb5_kt_have_content() to determine whether a keytab
exists and contains any entries.
* Add a new API krb5_cccol_have_content() to determine whether the
ccache collection contains any credentials.
* Add a new API krb5_kt_client_default() to resolve the default client
keytab.
* Add new APIs gss_export_cred and gss_import_cred to serialize and
unserialize GSSAPI credentials.
* Add a krb5_get_init_creds_opt_set_in_ccache() option.
* Add get_cc_config() and set_cc_config() clpreauth callbacks for
getting string attribute values from an in_ccache and storing them
in an out_ccache, respectively.
* Add a plugin interface for GSSAPI interposer mechanisms.
* Add an optional responder callback to the krb5_get_init_creds
functions. The responder callback can consider and answer all
preauth-related questions at once, and can process more complicated
questions than the prompter.
* Add a method to the clpreauth interface to allow modules to supply
response items for consideration by the responder callback.
* Projects/Password_response_item
* Add GSSAPI extensions to allow callers to specify credential store
locations when acquiring or storing credentials
* Add a new API krb5_kt_client_default() to resolve the default client
keytab.
Administrator experience:
* Documentation consolidation
* Add parameter expansion for default_keytab_name and
default_client_keytab_name profile variables.
* Add new default_ccache_name profile variable to override the
built-in default credential cache name.
* Add configure-time support for changing the built-in ccache and
keytab names.
* Add krb5-config options for displaying the built-in ccache and
keytab names.
* In the default build, use the system's built-in ccache and keytab
names if they can be discovered using krb5-config.
* Add support for a "default client keytab". Its location is
determined by the KRB5_CLIENT_KTNAME environment variable, the
default_client_keytab profile relation, or a hardcoded path (TBD).
* GSSAPI initiator applications can now acquire credentials
automatically from the default client keytab, if one is available.
* Add client support for FAST OTP (RFC 6560)
End-user experience:
* Documentation consolidation
* Store metadata in the ccache about how a credential was acquired, to
improve the user's experience when reacquiring
* Projects/Extensible_Policy
Performance:
* Improve KDC lookaside cache performance
Protocol evolution:
* Add client support for FAST OTP (RFC 6560)
* Build Camellia encryption support by default
krb5-1.11 changes by ticket ID
------------------------------
2131 krb5_get_init_creds_keytab() doesn't restrict requested
enctypes to those in keytab entry
2545 AFS string_to_key broken for passwords > 8 chars
5126 krb5_verify_init_creds behaves badly with a ticket cache
6973 error reporting made worse in gss_acquire_creds
7025 FAST: error handling and const keyblock
7026 FAST TGS
7046 Allow S4U2Proxy delegated credentials to be saved
7047 Allow S4U2Proxy service tickets to be cached
7048 Allow null server key to krb5_pac_verify
7054 Test suite requires python 2.6 or better...
7061 Fix PKINIT serverDHNonce encoding
7063 Prompter delay can cause spurious clock skew
7064 install sphinx-generated manpages
7072 PKINIT pk_as_rep_draft9 encoding issues
7073 kadmin.local.8 belongs in ADMIN_mandir
7080 failures to compile src/lib/krb5/krb/x-deltat.y with GCC 4.7
7085 Better short/long descs in gss_display_mech_attr
7086 potential memory leak in krb5int_get_fq_hostname
7091 Report profile errors when initializing krb5 context
7094 Fail during configure if unable to find ar
7097 improve kadm5 acl testing coverage
7100 trunk a86e885 does not deal with default salt
7105 side effects in assertions
7106 documentation nit in tkt_mgmt.rst
7107 Suppress some gcc uninitialized variable warnings
7109 Key rollover for MIT/AD cross TGT principals fails due to
kvno 0
7110 Fix password reuse check with cpw -keepold
7111 Incorrect ASN.1 tag for EncASRepPart in svn trunk
7112 KRB5_TRACE is broken in trunk
7113 add tests for trace logging
7114 Support using kdc time during encrypted timestamp preauth
7121 password argument to krb5_get_init_creds_password not const
7125 krb5_verify_init_creds should try all host principals in
keytab by default
7126 Documentation__Building Kerberos V5
7128 Add API to interpret changepw result strings
7129 Add krb5_parse_name flag to ignore realm
7130 kinit to AD server should be more tolerant of clock skew
7131 [PATCH 1/1] sn2princ.c: add terminal newline to "failed to
canonicalize" debug message.
7133 [PATCH 1/1] trace.c: rename k5trace to krb5int_trace in
comments.
7134 Fix "(null" typo in "{key}" handler in trace.c
7137 Fix "(empty" typo in "{etypes}" handler in trace.c
7138 [PATCH] Add missing $(LIBS) to Makefile.in in several
directories.
7139 Remove mention of util/autoconf
7147 Make doc/coding-style point to wiki page
7151 Convert DEBUG_REFERRALS to TRACE_* framework
7158 Add krb5_kt_have_content API
7159 Fail from gss_acquire_cred if we have no keytab
7160 gss_acquire_cred for krb5 initiator creds should fail if no
tickets exist
7161 Minor memory leak in default_an_to_ln on error
7162 krb5_verify_init_creds frees its input argument
7166 Remove big-endian gss-krb5 support
7173 Add krb5_cccol_have_content API
7179 krb5_cc_get_full_name() does not document how to free
fullname_out
7183 PKINIT should handle CMS SignedData without certificates
7187 ReST html docs render '--' as – (en dash)
7188 Add krb5_kt_client_default API
7189 Add client keytab initiation support
7190 Try harder to make keytab-based AS requests work
7192 klist does not use localized time formatting
7196 Automatically create DIR ccache directories
7205 Rename 'free' -> 'free_func' in asn1_encode.c/.h
7211 define USE_HEAPALLOC in gssapi_alloc.h
7216 Add kinit/klist -i options to use client keytab
7217 Introduce credential store extensions
7218 Do something reasonable if "kinit -t" without "-k"
7219 Add token expansion for keytab names
7220 Add default_ccache_name profile variable
7221 Support changing the built-in ccache/keytab names
7223 Policy extensions + new policy: allowed ks types
7224 Fix edge-case bugs in kdb5_util load
7229 Turn off replay cache in krb5_verify_init_creds()
7242 Add otp client preauth plugin
7346 Support kdc_timesync offsets in memory ccache
7347 Add support for GSS_C_NT_COMPOSITE_EXPORT
7351 Avoid libdl dependencies in bundled libverto
7354 Introduce gss_export_cred and gss_import_cred
7355 Add responder feature for initial cred exchanges
7356 GSSAPI constrained delegation fails with default initiator
cred
7358 Map CANTLOCK_DB to SVC_UNAVAILABLE in krb5kdc
7359 Use blocking locks in krb5kdc and libkadm5srv
7360 Fix lock inconsistency in ctx_unlock()
7364 Update FILES and WINFILES for kerbsrc.zip
7366 Keep verifier cred locked in accept_sec_context
7367 Remove kerbsrc.win
7368 MAX_ULOGENTRIES is too low
7369 iprop can block for extended periods due to UPDATE_BUSY
7370 kdb5_util load needs an iprop safety net
7371 kadmind per-slave ipropd dumps are wasteful
7372 kadmind hardcodes paths to kdb5_util, kprop, and dump file
7373 kpropd handling of full resyncs is racy
7374 iprop full resyncs need testing
7375 feature request: kproplog -R to reset ulog, force full resync
7376 kpropd -S option is superfluous
7377 kdb5_util dump is racy
7378 k5test.py needs a start_kpropd() method
7379 kpropd docs are out of date regarding iprop
7384 kdb5_util dump race can leave policy refcounts incorrect
7399 Race in kdb5_util load completion
7400 GENC should always export composite names
7403 krb5_db_delete_principal() can fail to unlock ulog
7407 Import remaining content from texinfo to reST
7408 Remove obsolete texinfo documentation
7409 rework documentation tree layout
7413 Add an input ccache get_init_creds option
7414 Add "pa_type" configuration to ccaches
7415 Fix sam2 client preauth after salt changes
7416 Use config storage for client OTP token selection
7417 Don't expose binary format in preauth otp
7418 Add dependencies for some test programs
7419 Alter responder function signature for consistency
7421 Documentation__krb5_rd_req - Parse and decrypt a KRB_AP_REQ
message.
7422 Only record real selected preauth type
7423 Document prompter and responder callbacks
7424 Add missing macro and type index.rst entries
7425 Fix verto_ctx declaration in preauth_plugin.h
7426 Add loop() kdcpreauth method
7427 Don't save empty cc_config_out in ccache
7428 Don't leak new fields of krb5_init_creds_context
7429 Document GSSAPI loadable module interface
7431 Improve documentation for krb5_unparse_name_ext()
7433 Documentation build system improvements
7435 Always rebuild rst_composite in src/doc
7436 Document PKINIT and anonymos PKINIT configuration
7437 Update Camellia feature description
7439 Add Camellia to enctype table in documentation
7444 De-conditionalize Camellia code
7445 Make kdb5_util dump work with LDAP again
7446 Add Camellia enctypes to default enctype lists
7447 Fix warnings in doc build
7448 Avoid using grep -q in configure.in
7451 Add "Kerberos" to PDF titles
7452 Reword krb5_unparse_name_ext doxygen markup
7453 Update mkrel for new doc build process
7455 Documentation: table formating and ref correction in MIT
features
7456 Documentation: Update 1.11 feature list
7457 camellia needs key_cleanup() routine
7459 Remove broken clean_hostname trace messages
7460 Add first-introduced version for
krb5_get_init_creds_opt_set_in_ccache() in doxygen markup
7461 Remove .doctrees when cleaning src/doc
7462 Move Release tag to the footer in Sphinx html documentation
7464 Remove "Test coverage" topic from Sphinx documentation
7466 Do not generate unused parts of toctree
7467 Do not include hidden files in the sidebar
7468 Make sphinx warnings fatal for doc build
7469 Reformat RST to avoid sphinx warnings
7470 Note notice.txt's dependency on version.py
7471 Fix typo
7472 Document parameter expansion for keytab and ccache
configuration options
7474 Update comments about conflicting KRB5_KEYUSAGE_PA types
7477 Document account lockout configuration
7479 Build fixes for windows
7480 Cross-reference account lockout documentation
7482 Make resources.rst more useful to non-devs
7483 KDC can return host referral to its own realm
7488 Various nits in krb5-1.10.3
7489 Do not document unused symbols
7490 Update comments for RFC 3244 kpasswd extensions
7491 Make building docs easier in an unconfigured tree
7492 Doc build in unconfigured tree broken on some platforms
7494 Regenerate checked-in man pages
7495 Make the doc build quieter
7496 Document API for getting anonymous tickets
7497 Update mkrel for SPHINX_ARGS
7498 Document principal name interactions with DNS
7499 Use an empty challenge for the password question
7500 Add examples to init_creds.rst
7501 Update retiring-des with real-world experience
7503 Fix documentation browser resizing behavior
7504 Conditionally include MITKC logo in HTML doc
7505 Better names for doxygen-Sphinx bridge functions
7506 PKINIT (draft9) null ptr deref [CVE-2012-1016]
7507 Document enctypes
7509 Update README for Sphinx documentation
7510 Add copyright footer to HTML docs
7512 Add web pages to resources.rst
7513 Clarify enctype settings in krb5_conf.rst
7515 Add release string to index.rst page heading
Acknowledgements
----------------
Past and present Sponsors of the MIT Kerberos Consortium:
Apple
Carnegie Mellon University
Centrify Corporation
Columbia University
Cornell University
The Department of Defense of the United States of America (DoD)
Fidelity Investments
Google
Iowa State University
MIT
Michigan State University
Microsoft
The National Aeronautics and Space Administration
of the United States of America (NASA)
Network Appliance (NetApp)
Nippon Telephone and Telegraph (NTT)
Oracle
Pennsylvania State University
Red Hat
Stanford University
TeamF1, Inc.
The University of Alaska
The University of Michigan
The University of Pennsylvania
Past and present members of the Kerberos Team at MIT:
Danilo Almeida
Jeffrey Altman
Justin Anderson
Richard Basch
Mitch Berger
Jay Berkenbilt
Andrew Boardman
Bill Bryant
Steve Buckley
Joe Calzaretta
John Carr
Mark Colan
Don Davis
Alexandra Ellwood
Carlos Garay
Dan Geer
Nancy Gilman
Matt Hancher
Thomas Hardjono
Sam Hartman
Paul Hill
Marc Horowitz
Eva Jacobus
Miroslav Jurisic
Barry Jaspan
Benjamin Kaduk
Geoffrey King
Kevin Koch
John Kohl
HaoQi Li
Jonathan Lin
Peter Litwack
Scott McGuire
Steve Miller
Kevin Mitchell
Cliff Neuman
Paul Park
Ezra Peisach
Chris Provenzano
Ken Raeburn
Jon Rochlis
Jeff Schiller
Jen Selby
Robert Silk
Bill Sommerfeld
Jennifer Steiner
Ralph Swick
Brad Thompson
Harry Tsai
Zhanna Tsitkova
Ted Ts'o
Marshall Vale
Tom Yu
The following external contributors have provided code, patches, bug
reports, suggestions, and valuable resources:
Ian Abbott
Brandon Allbery
Russell Allbery
Brian Almeida
Michael B Allen
Heinz-Ado Arnolds
Derek Atkins
Mark Bannister
David Bantz
Alex Baule
Adam Bernstein
Arlene Berry
Jeff Blaine
Radoslav Bodo
Sumit Bose
Emmanuel Bouillon
Michael Calmer
Julien Chaffraix
Ravi Channavajhala
Srinivas Cheruku
Leonardo Chiquitto
Howard Chu
Andrea Cirulli
Christopher D. Clausen
Kevin Coffman
Simon Cooper
Sylvain Cortes
Nalin Dahyabhai
Mark Davies
Dennis Davis
Mark Deneen
Roland Dowdeswell
Jason Edgecombe
Mark Eichin
Shawn M. Emery
Douglas E. Engert
Peter Eriksson
Juha Erkkilä
Ronni Feldt
Bill Fellows
JC Ferguson
William Fiveash
Ákos Frohner
Sebastian Galiano
Marcus Granado
Scott Grizzard
Helmut Grohne
Steve Grubb
Philip Guenther
Dominic Hargreaves
Jakob Haufe
Matthieu Hautreux
Paul B. Henson
Jeff Hodges
Christopher Hogan
Love Hörnquist Åstrand
Ken Hornstein
Henry B. Hotz
Luke Howard
Jakub Hrozek
Shumon Huque
Jeffrey Hutzelman
Wyllys Ingersoll
Holger Isenberg
Pavel Jindra
Joel Johnson
W. Trevor King
Mikkel Kruse
Reinhard Kugler
Volker Lendecke
Jan iankko Lieskovsky
Oliver Loch
Kevin Longfellow
Ryan Lynch
Nathaniel McCallum
Greg McClement
Cameron Meadors
Alexey Melnikov
Franklyn Mendez
Markus Moeller
Kyle Moffett
Paul Moore
Keiichi Mori
Michael Morony
Zbysek Mraz
Edward Murrell
Nikos Nikoleris
Felipe Ortega
Andrej Ota
Dmitri Pal
Javier Palacios
Tom Parker
Ezra Peisach
W. Michael Petullo
Mark Phalan
Jonathan Reams
Robert Relyea
Martin Rex
Jason Rogers
Mike Roszkowski
Guillaume Rousse
Tom Shaw
Peter Shoults
Simo Sorce
Michael Spang
Michael Ströder
Bjørn Tore Sund
Joe Travaglini
Rathor Vipin
Jorgen Wahlsten
Stef Walter
Max (Weijun) Wang
John Washington
Stef Walter
Xi Wang
Kevin Wasserman
Margaret Wasserman
Marcus Watts
Andreas Wiese
Simon Wilkinson
Nicolas Williams
Ross Wilper
Xu Qiang
Nickolai Zeldovich
Hanz van Zijst
Gertjan Zwartjes
The above is not an exhaustive list; many others have contributed in
various ways to the MIT Kerberos development effort over the years.
Other acknowledgments (for bug reports and patches) are in the
doc/CHANGES file.