Skip to content

b055man/krb5

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

                   Kerberos Version 5, Release 1.13

                            Release Notes
                        The MIT Kerberos Team

Copyright and Other Notices
---------------------------

Copyright (C) 1985-2015 by the Massachusetts Institute of Technology
and its contributors.  All rights reserved.

Please see the file named NOTICE for additional notices.

Documentation
-------------

Unified documentation for Kerberos V5 is available in both HTML and
PDF formats.  The table of contents of the HTML format documentation
is at doc/html/index.html, and the PDF format documentation is in the
doc/pdf directory.

Additionally, you may find copies of the HTML format documentation
online at

    http://web.mit.edu/kerberos/krb5-latest/doc/

for the most recent supported release, or at

    http://web.mit.edu/kerberos/krb5-devel/doc/

for the release under development.

More information about Kerberos may be found at

    http://web.mit.edu/kerberos/

and at the MIT Kerberos Consortium web site

    http://kerberos.org/

Building and Installing Kerberos 5
----------------------------------

Build documentation is in doc/html/build/index.html or
doc/pdf/build.pdf.

The installation guide is in doc/html/admin/install.html or
doc/pdf/install.pdf.

If you are attempting to build under Windows, please see the
src/windows/README file.

Reporting Bugs
--------------

Please report any problems/bugs/comments by sending email to
krb5-bugs@mit.edu.

You may view bug reports by visiting

http://krbdev.mit.edu/rt/

and using the "Guest Login" button.  Please note that the web
interface to our bug database is read-only for guests, and the primary
way to interact with our bug database is via email.

DES transition
--------------

The Data Encryption Standard (DES) is widely recognized as weak.  The
krb5-1.7 release contains measures to encourage sites to migrate away
from using single-DES cryptosystems.  Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.


Major changes in 1.13.1 (2015-02-11)
------------------------------------

This is a bug fix release.

* Fix multiple vulnerabilities in the LDAP KDC back end.
  [CVE-2014-5354] [CVE-2014-5353]

* Fix multiple kadmind vulnerabilities, some of which are based in the
  gssrpc library. [CVE-2014-5352 CVE-2014-5352 CVE-2014-9421
  CVE-2014-9422 CVE-2014-9423]


krb5-1.13.1 changes by ticket ID
--------------------------------

7880    Fix typo in doc for krb5_get_init_creds_keytab()
7962    remote kadmin client doesn't parse "-norandkey"
8011    PKINIT PKCS12 prompt length constraint limits certificate path
        length
8024    Use gssalloc_malloc for GSS error tokens
8028    Report output ccache errors getting initial creds
8029    Fix cursor leak in krb5_verify_init_creds
8034    Fix input race condition in t_skew.py
8035    Update example enctypes in kdc_conf.rst
8038    Kadmind/kadmin.local issues after migration from version
        1.12.2 to 1.13
8041    kadmind with ldap backend crashes when putting keyless entries
        [CVE-2014-5354]
8049    Fix LDAP tests when sasl.h not found
8051    Fix LDAP misused policy name crash [CVE-2014-5353]
8053    Fix OTP tests with pyrad 2.x
8055    Fix gss_process_context_token() [CVE-2014-5352]
8056    Fix kadm5/gssrpc XDR double free [CVE-2014-9421]
8057    Fix kadmind server validation [CVE-2014-9422]
8058    Fix gssrpc data leakage [CVE-2014-9423]
8059    Check for null *iter_p in profile_iterator()
8060    kinit -C loops chasing realm referrals against MIT KDC
8061    Export function gss_add_cred_with_password
8066    Bump DAL major version for iterate change
8072    Avoid uninitialized data in t_prf.c


Major changes in 1.13 (2014-10-15)
----------------------------------

Administrator experience:

* Add support for accessing KDCs via an HTTPS proxy server using the
  MS-KKDCP protocol.

* Add support for hierarchical incremental propagation, where slaves
  can act as intermediates between an upstream master and other
  downstream slaves.

* Add support for configuring GSS mechanisms using
  /etc/gss/mech.d/*.conf files in addition to /etc/gss/mech.

* Add support to the LDAP KDB module for binding to the LDAP server
  using SASL.

* The KDC listens for TCP connections by default.

* Fix a minor key disclosure vulnerability where using the "keepold"
  option to the kadmin randkey operation could return the old keys.
  [CVE-2014-5351]

User experience:

* Add client support for the Kerberos Cache Manager protocol. If the
  host is running a Heimdal kcm daemon, caches served by the daemon
  can be accessed with the KCM: cache type.

* When built on OS X 10.7 and higher, use "KCM:" as the default cache
  type, unless overridden by command-line options or krb5-config
  values.

Performance:

* Add support for doing unlocked database dumps for the DB2 KDC back
  end, which would allow the KDC and kadmind to continue accessing the
  database during lengthy database dumps.


krb5-1.13 changes by ticket ID
------------------------------

884     having "-" in key:salt separator list prevents salttype
        defaulting from working
1794    don't use mktemp
3498    race opening/creating replay cache.
5958    kadmin salttype "no salt" means really means "default/normal
        salt"
6034    rework gic_opt_ext to be more portable
6042    krb5_string_to_keysalts should default to normal salt rather
        than "ignore salttype"
6413    pkinit thread safety
6550    old_stash_bendian is a keytab
6731    KDC should listen to TCP by default
7232    Confusing error message for key version mismatch
7704    Anonymous kadmin does not work
7728    ksu assumes the invoking user's using a FILE: ccache
7761    Document that newer AFS supports stronger crypto
7795    Allow ":port" suffixes in sn2princ hostnames
7800    krb5-1.11/1.12: kadm5_init_with_* interface
7816    Don't produce context deletion token in krb5 mech
7819    Add rcache feature to gss_acquire_cred_from
7838    Fix gss_pseudo_random leak on zero length output
7840    Remove krb5-send-pr
7850    Remove kdb5_util load iprop safety net
7855    Add hierarchical iprop support
7857    Web Documentation: Missing reference to 1.12
7859    Move OTP sockets to KDC_RUN_DIR
7861    iprop can deadlock on master KDC
7868    krb5_get_init_creds_password ignores preauth options when
        changing password
7869    In kdb5_util dump, only lock DB for iprop dumps
7879    Rewrite GSS sequence state tracking code
7882    Load mechglue config files from /etc/gss/mech.d
7883    Try compatible keys in rd_req_dec "any" path
7884    profile writes may not be immediately detected within same
        process
7886    Don't check kpasswd reply address
7889    PKINIT use of OpenSSL OID table is not thread-safe or
        application-friendly
7891    Don't free cred handle used in kadm5 server handle
7892    mismatch between client keytab default principal for kinit and
        GSS-API
7901    Update sample configs to include master_kdc
7906    Don't remove ccache creds before storing them
7907    Allow GSS mechs to force mechlistMIC in SPNEGO
7908    Fix unlikely memory error in krb5_rd_cred
7910    KDC does not log client principal if TGS header ticket
        verification fails
7913    Use case insensitive DNS SAN matching in PKINIT
7915    Improve pointer hygiene around gss_display_name
7918    LDAP key data decoder ignores salt type if salt value is empty
7923    x-deltat.y is not compatible with bison 3
7925    05cbef80d53 breaks /etc/gss/mech
7927    Better document how to verify PGP signature
7929    HTTP proxy support
7933    pkinit_win2k_require_binding behavior does not match
        documentation
7934    Remove PKINIT longhorn compatibility option
7935    Add a family-independent bindresvport_sa function
7939    kadm5.acl docs wrongly imply that list permission can have a
        target
7944    Add SASL support to LDAP KDB module
7947    Load plugins with RTLD_NODELETE if possible
7961    Define _GNU_SOURCE as part of build
7964    Add KCM credential cache type (client only)
7968    Improve error message for PRNG seeding failure
7974    Don't equate IAKERB and krb5 in SPNEGO initiator
7975    Negotiating NTLM with SPNEGO against Windows Server 2003
        doesn't work
7977    Enable unlocked KDB iteration
7978    Support kdb5_util dump -rev again
7979    Add kiprop/<master-hostname> during KDB creation
7981    Minor memory leak in GSS-API mechanism initialization
7983    In ksu, without the -e flag, also check .k5users
7984    Make ksu respect the default_ccache_name setting
7986    Copy config entries to the ksu target ccache
7987    Fix GSS krb5 GSS_C_DELEG_FLAG ret_flags result
7988    Make krb5_cc_new_unique create DIR: directories
7990    Fix HP-UX build support
7992    Fix test syntax in configure.in
7993    Autodetect OpenSSL CMS for LibreSSL compatibility
7994    randkey does not update principal's master key version
7995    kadmin change_password -keepold does not work with master key
        migration
7996    Simplify and improve ksu cred verification
7997    kadm5_randkey_principal interop with Solaris KDC
7998    gssapi.dll tries to get initial creds even when some are
        present
8000    gssapi.dll fails to detect TGTs in the MSLSA cache when UAC is
        enabled
8001    Allow logger.c to work with redirected stderr
8003    Export gssrpc_bindresvport_sa
8004    Map .hin files to the C language for doxygen
8005    Initialize iterflags in update_princ_encryption
8006    Update NOTICE for 1.13
8007    In ksu, handle typeless default_ccache_name values
8008    Document clock skew tolerance for ticket times
8015    Fix ksu crash in cases where it obtains the TGT
8016    Restore providing password TGTs for the ksu target
8017    gss_acquire_cred_impersonate_name crashes with acceptor-only
        impersonator creds
8018    Return only new keys in randkey [CVE-2014-5351]

Acknowledgements
----------------

Past and present Sponsors of the MIT Kerberos Consortium:

    Apple
    Carnegie Mellon University
    Centrify Corporation
    Columbia University
    Cornell University
    The Department of Defense of the United States of America (DoD)
    Fidelity Investments
    Google
    Iowa State University
    MIT
    Michigan State University
    Microsoft
    The National Aeronautics and Space Administration
        of the United States of America (NASA)
    Network Appliance (NetApp)
    Nippon Telephone and Telegraph (NTT)
    Oracle
    Pennsylvania State University
    Red Hat
    Stanford University
    TeamF1, Inc.
    The University of Alaska
    The University of Michigan
    The University of Pennsylvania

Past and present members of the Kerberos Team at MIT:

    Danilo Almeida
    Jeffrey Altman
    Justin Anderson
    Richard Basch
    Mitch Berger
    Jay Berkenbilt
    Andrew Boardman
    Bill Bryant
    Steve Buckley
    Joe Calzaretta
    John Carr
    Mark Colan
    Don Davis
    Alexandra Ellwood
    Carlos Garay
    Dan Geer
    Nancy Gilman
    Matt Hancher
    Thomas Hardjono
    Sam Hartman
    Paul Hill
    Marc Horowitz
    Eva Jacobus
    Miroslav Jurisic
    Barry Jaspan
    Benjamin Kaduk
    Geoffrey King
    Kevin Koch
    John Kohl
    HaoQi Li
    Jonathan Lin
    Peter Litwack
    Scott McGuire
    Steve Miller
    Kevin Mitchell
    Cliff Neuman
    Paul Park
    Ezra Peisach
    Chris Provenzano
    Ken Raeburn
    Jon Rochlis
    Jeff Schiller
    Jen Selby
    Robert Silk
    Bill Sommerfeld
    Jennifer Steiner
    Ralph Swick
    Brad Thompson
    Harry Tsai
    Zhanna Tsitkova
    Ted Ts'o
    Marshall Vale
    Tom Yu

The following external contributors have provided code, patches, bug
reports, suggestions, and valuable resources:

    Ian Abbott
    Brandon Allbery
    Russell Allbery
    Brian Almeida
    Michael B Allen
    Heinz-Ado Arnolds
    Derek Atkins
    Mark Bannister
    David Bantz
    Alex Baule
    David Benjamin
    Adam Bernstein
    Arlene Berry
    Jeff Blaine
    Radoslav Bodo
    Sumit Bose
    Emmanuel Bouillon
    Michael Calmer
    Andrea Campi
    Julien Chaffraix
    Ravi Channavajhala
    Srinivas Cheruku
    Leonardo Chiquitto
    Howard Chu
    Andrea Cirulli
    Christopher D. Clausen
    Kevin Coffman
    Simon Cooper
    Sylvain Cortes
    Arran Cudbard-Bell
    Jeff D'Angelo
    Nalin Dahyabhai
    Mark Davies
    Dennis Davis
    Alex Dehnert
    Mark Deneen
    Günther Deschner
    Roland Dowdeswell
    Viktor Dukhovni
    Jason Edgecombe
    Mark Eichin
    Shawn M. Emery
    Douglas E. Engert
    Peter Eriksson
    Juha Erkkilä
    Gilles Espinasse
    Ronni Feldt
    Bill Fellows
    JC Ferguson
    William Fiveash
    Ákos Frohner
    Sebastian Galiano
    Marcus Granado
    Scott Grizzard
    Helmut Grohne
    Steve Grubb
    Philip Guenther
    Dominic Hargreaves
    Robbie Harwood
    Jakob Haufe
    Matthieu Hautreux
    Paul B. Henson
    Jeff Hodges
    Christopher Hogan
    Love Hörnquist Åstrand
    Ken Hornstein
    Henry B. Hotz
    Luke Howard
    Jakub Hrozek
    Shumon Huque
    Jeffrey Hutzelman
    Wyllys Ingersoll
    Holger Isenberg
    Pavel Jindra
    Joel Johnson
    Anders Kaseorg
    W. Trevor King
    Patrik Kis
    Mikkel Kruse
    Reinhard Kugler
    Tomas Kuthan
    Pierre Labastie
    Volker Lendecke
    Jan iankko Lieskovsky
    Oliver Loch
    Kevin Longfellow
    Jon Looney
    Nuno Lopes
    Ryan Lynch
    Andrei Maslennikov
    Nathaniel McCallum
    Greg McClement
    Cameron Meadors
    Alexey Melnikov
    Franklyn Mendez
    Markus Moeller
    Kyle Moffett
    Paul Moore
    Keiichi Mori
    Michael Morony
    Zbysek Mraz
    Edward Murrell
    Nikos Nikoleris
    Felipe Ortega
    Michael Osipov
    Andrej Ota
    Dmitri Pal
    Javier Palacios
    Tom Parker
    Ezra Peisach
    Zoran Pericic
    W. Michael Petullo
    Mark Phalan
    Brett Randall
    Jonathan Reams
    Robert Relyea
    Martin Rex
    Jason Rogers
    Nate Rosenblum
    Solly Ross
    Mike Roszkowski
    Guillaume Rousse
    Andreas Schneider
    Tom Shaw
    Jim Shi
    Peter Shoults
    Simo Sorce
    Michael Spang
    Michael Ströder
    Bjørn Tore Sund
    Joe Travaglini
    Rathor Vipin
    Denis Vlasenko
    Jorgen Wahlsten
    Stef Walter
    Max (Weijun) Wang
    John Washington
    Stef Walter
    Xi Wang
    Kevin Wasserman
    Margaret Wasserman
    Marcus Watts
    Andreas Wiese
    Simon Wilkinson
    Nicolas Williams
    Ross Wilper
    Augustin Wolf
    David Woodhouse
    Xu Qiang
    Neng Xue
    Nickolai Zeldovich
    Hanz van Zijst
    Gertjan Zwartjes

The above is not an exhaustive list; many others have contributed in
various ways to the MIT Kerberos development effort over the years.
Other acknowledgments (for bug reports and patches) are in the
doc/CHANGES file.

About

mirror of MIT krb5 repository

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages

  • C 83.2%
  • C++ 7.3%
  • HTML 2.3%
  • Python 2.0%
  • Roff 1.9%
  • Perl 0.9%
  • Other 2.4%