Kerberos Version 5, Release 1.7 Release Notes The MIT Kerberos Team Unpacking the Source Distribution --------------------------------- The source distribution of Kerberos 5 comes in a gzipped tarfile, krb5-1.7.tar.gz. Instructions on how to extract the entire distribution follow. If you have the GNU tar program and gzip installed, you can simply do: gtar zxpf krb5-1.7.tar.gz If you don't have GNU tar, you will need to get the FSF gzip distribution and use gzcat: gzcat krb5-1.7.tar.gz | tar xpf - Both of these methods will extract the sources into krb5-1.7/src and the documentation into krb5-1.7/doc. Building and Installing Kerberos 5 ---------------------------------- The first file you should look at is doc/install-guide.ps; it contains the notes for building and installing Kerberos 5. The info file krb5-install.info has the same information in info file format. You can view this using the GNU emacs info-mode, or by using the standalone info file viewer from the Free Software Foundation. This is also available as an HTML file, install.html. Other good files to look at are admin-guide.ps and user-guide.ps, which contain the system administrator's guide, and the user's guide, respectively. They are also available as info files kerberos-admin.info and krb5-user.info, respectively. These files are also available as HTML files. If you are attempting to build under Windows, please see the src/windows/README file. Reporting Bugs -------------- Please report any problems/bugs/comments using the krb5-send-pr program. The krb5-send-pr program will be installed in the sbin directory once you have successfully compiled and installed Kerberos V5 (or if you have installed one of our binary distributions). If you are not able to use krb5-send-pr because you haven't been able compile and install Kerberos V5 on any platform, you may send mail to krb5-bugs@mit.edu. Keep in mind that unencrypted e-mail is not secure; if you need to send sensitive information, such as reporting potential security vulnerabilities, please PGP-encrypt it to our security contact address: krbcore-security@mit.edu. You may view bug reports by visiting http://krbdev.mit.edu/rt/ and logging in as "guest" with password "guest". DES transition -------------- The Data Encryption Standard (DES) is widely recognized as weak. The krb5-1.7 release will contain measures to encourage sites to migrate away from using single-DES cryptosystems. Among these is a configuration variable that enables "weak" enctypes, but will default to "false" in the future. Additional migration aids are planned for future releases. Major changes in 1.7 -------------------- The krb5-1.7 release contains a large number of changes, featuring improvements in the following broad areas: * Compatibility with Microsoft Windows * Administrator experience * User experience * Code quality * Protocol evolution Compatibility with Microsoft Windows: * Follow client principal referrals in the client library when obtaining initial tickets. * KDC can issue realm referrals for service principals based on domain names. * Extensions supporting DCE RPC, including three-leg GSS context setup and unencapsulated GSS tokens inside SPNEGO. * Microsoft GSS_WrapEX, implemented using the gss_iov API, which is similar to the equivalent SSPI functionality. This is needed to support some instances of DCE RPC. * NTLM recognition support in GSS-API, to facilitate dropping in an NTLM implementation for improved compatibility with older releases of Microsoft Windows. * KDC support for principal aliases, if the back end supports them. Currently, only the LDAP back end supports aliases. * Support Microsoft set/change password (RFC 3244) protocol in kadmind. * Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which allows a GSS application to request credential delegation only if permitted by KDC policy. Administrator experience: * Install header files for the administration API, allowing third-party software to manipulate the KDC database. * Incremental propagation support for the KDC database. * Master key rollover support, making it easier to change master key passwords or encryption types. * New libdefaults configuration variable "allow_weak_crypto". NOTE: Currently defaults to "true", but may default to "false" in a future release. Setting this variable to "false" will have the effect of removing weak enctypes (currently defined to be all single-DES enctypes) from permitted_enctypes, default_tkt_enctypes, and default_tgs_enctypes. User experience: * Provide enhanced GSS-API error message including supplementary details about error conditions. * In the replay cache, use a hash over the complete ciphertext to avoid false-positive replay indications. Code quality: * Replace many uses of "unsafe" string functions. While most of these instances were innocuous, they impeded efficient automatic and manual static code analysis. * Fix many instances of resource leaks and similar bugs identified by static analysis tools. * Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 -- various vulnerabilities in SPNEGO and ASN.1 code. Protocol evolution: * Remove support for version 4 of the Kerberos protocol (krb4). * Encryption algorithm negotiation (RFC 4537), allowing clients and application services to negotiate stronger encryption than their KDC supports. * Flexible Authentication Secure Tunneling (FAST), a preauthentiation framework that can protect the AS exchange from dictionary attacks on weak user passwords. Known bugs by ticket ID ----------------------- 6481 kdb ldap integration removed rev/recurse kdb5_util dumps 6487 gss_unwrap_iov fails in stream mode 6505 fix t_prf test code properly 6506 Make results of krb5_db_def_fetch_mkey more predictable 6507 kdb5_util update_princ_encryption uses latest mkey instead of active mkey Changes by ticket ID -------------------- 194 a stash file is not a keytab 914 keytab add without randomizing key 1165 annoying error message from krb5_mk_priv() 1201 replay cache can produce false positive indications 1624 use more secure checksum types 2836 feature request: compile/link time warnings for deprecated functions 2939 unified CCAPI implementation 3496 krb524d should log success as well as failure 3497 problems with corrupt (truncated) ccaches 3499 race in replay cache file ownership 3737 plugins support requires a Windows equivalent to opendir and friends 3929 support lazy launching of ccapi server 3930 CCAPI server must be able to distinguish context handles from other server instances 3931 CCAPI context and ccache change times must be stored by the client 3932 CCAPI should use a cc_handle not implemented as a pointer 3933 CCAPI client library reconnection support 3934 Implement CCAPI blocking calls 3935 CCAPI implement locking 3936 krb5_ccache functions should use the ccapi version 3 interface 4241 Command line --version option 5411 MEMORY keytab 5425 nonce needs to be random 5427 buffer overflow in krb5_kt_get_name 5428 MEMORY keytab leaks 5429 MEMORY keytab should use krb5_copy_keyblock 5430 MEMORY keytab's get_entry should set enctypes and kvnos 5431 krb5_kt_get_type should return const char *. 5432 krb5_kt_default_name should take an unsized length 5440 sendto_kdc() not signal safe, doesn't respond well to staggered TCP responses. 5481 manual test of commit handler 5517 use IP(V6)_PKTINFO in KDC for UDP sockets 5545 uninitialized salt length when reading some keys 5560 threads on Solaris 10 5561 close-on-exec flags 5565 krb5kdc.M is confused about keytype 5567 don't check for readability resolving SRVTAB: keytab 5568 Move CCAPI sources to krb5 repository 5569 Fixed bugs introduced while moving to krb5 repository 5570 Only use __attribute__ on GNUC compilers 5574 Add advisory locking to CCAPI 5575 don't include time.h in CredentialsCache.h if it's not needed 5578 test commit handler 5580 provide asprintf functionality for internal use 5587 PRF for non-AES enctypes 5589 krb5 trunk no longer builds on Windows - vsnprintf implementation required 5590 gss krb5 mech enhanced error messages 5593 kadmind crash on Debian AMD64 5594 Work on compiling CCAPI test suite on Windows 5595 Problems with kpasswd and an IPv6 enviroment 5596 patch for providing a way to set the ok-as-delegate flag 5598 ccs_pipe_t needs copy and release functions 5599 Added new autogenerated file to generate-files-mac target 5600 provide more useful error message when running kpropd on command line 5635 need more dylib_file specs for darwin 5641 kadm5_setkey_principal_3 fix 5642 Remove unused, unlocalizable error strings 5643 Alignment fix 5649 t_ser should no longer use kdb libraries 5654 remap mechanism-specific status codes in mechglue/spnego 5655 authorization-data plugin support in KDC 5657 (Mac-specific) PROG_LIBPATH build fix 5667 listprincs *z is broken 5670 Add documentation for CCAPI 5671 cleanup src/lib/gssapi/krb5/error_map.h on Windows 5672 no unistd.h on Windows 5699 test program build problem 5754 cci_array_move should work when the source and dest positions are equal 5760 stdint.h should only be accessed if HAVE_STDINT_H defined 5771 cc_ccache_set_principal always returns error 227 5776 profile library memory leaks introduced when malloc returns 0 5786 Update Release Documentation for KFW 3.2.2 5804 cc_initalize(ccapi_version_2) should return CC_BAD_API_VERSION not CC_NOT_SUPP 5805 Add documentation for error codes used for flow control. 5806 Removed NOP line of code from krb5_fcc_next_cred() 5807 can't store delegated krb5 creds when using spnego 5813 cc_ccache_store_credentials should return ccErrBadCredentialsVersion 5814 cci_array_move not returning correct new position 5815 ccs_lock_status_grant_lock granting wrong lock 5822 fixed mispelling in kadmin error message 5828 Include time.h for time() 5835 Kerberos with apple leopard 5863 [no subject] 5864 improve debugging of ticket verification in ksu 5867 krb-priv sequence numbers don't match up in retransmitted requests 5872 Add ccs_pipe_compare 5884 Need CCAPI v2 support for Windows 5885 Remove AppleConnect workaround 5894 krb5int_arcfour_string_to_key does not support utf-8 strings 5899 Compiling krb5-1.6.3 on FreeBSD 7.0-RELEASE 5900 ccs_ccache_reset should check all arguments for NULL 5901 CCAPI v2 support crash when client or server strings are NULL 5902 cci_cred_union_compare_to_credentials_union doesn't work for v5 creds 5903 Fix pointer cast in cc_seq_fetch_NCs_end 5904 cc_set_principal should return error on bad cred version 5905 cc_remove_cred should only remove one cred 5906 Fixed error code remapping 5907 Removed tests for check_cc_context_get_version 5908 Remove C warnings from CCAPI tests 5909 Add CCAPI v2 tests 5911 removed unused header file inclusion CoreFoundation.h 5912 Invalid assignment while trying to set input to NULL 5915 cc_ccache_iterator_release, cc_credentials_iterator_release leak server memory 5920 CCacheServer should track client iterators 5923 Protect CFBundle calls with mutexes 5925 Windows socket(...) returns SOCKET, not file handle 5926 Added prototype to test function to remove warning. 5943 db creation creates a kadmin/hostname princ but doesn't fix case 5947 krb5_walk_realm_tree broken substring logic 5948 error in filebase+suffix list generation in plugin code 5949 Don't leak memory when multiple arguments are NULL 5954 ksu fails without domain_realm mapping for local host 5960 Move KIM implementation to the krb5 repository 5962 unchecked calls to k5_mutex_lock() interact poorly with finalizers 5963 Profile library should not call rw_access earlier than needed 5964 Re: Fwd: [modauthkerb] [SOLVED] 'Request is a replay' + Basic auth 5966 signed vs unsigned char * warnings in kdb_xdr.c 5967 No prototype when building kdb5_util without krb4 support 5969 Add header for kill() in USE_PASSWORD_SERVER case 5982 cci_credentials_iterator_release using wrong message ID 5989 Add new launchd flags to CCacheServer plist file 5990 kadm5_setkey_principal_3 not copying key_data_ver and key_data_kvno 5993 Masterkey Keytab Stash 5999 fix ktutil listing with timestamp 6000 misc uninitialized-storage accesses 6001 Big endian stash file support 6002 krb5_rc_io_creat should use mkstemp 6005 krb5_get_error_message returns const char * 6009 kdc does not compile with glibc 2.8 6010 krb5int_gic_opte_copy should copy elements individually 6011 Add EnableTransactions launchd option to CCacheServer 6012 Add EnableTransactions launchd option to KerberosAgent 6013 Stop building Kerberos.app as part of KfM. 6015 gss_export_lucid_sec_context support for SPNEGO 6016 SPNEGO workaround for SAMBA mech OID quirks 6017 KDC virtual address support 6019 Add signal to force KDC to check for changed interfaces 6024 Don't use "ccache" in error string printed to user 6025 Add macro so we don't print deprecated warnings while building KfM 6026 CCacheServer crashes iterating over creds which have been destroyed 6029 kadmind leaks error strings on failures 6031 krb needs better realm lookup logic 6032 test commit handler change 6044 Add Apple Inc. to copyright lists. 6052 Return extended krb5 error strings 6055 KIM API 6066 turn off thread-support debugging code 6070 update DES code copyright notices 6074 Use a valid UTF8 password for randkey password 6075 Open log file for appending only, not also reading 6076 Don't build PKINIT ASN.1 support code if not building PKINIT plugin 6077 krb5_fcc_resolve file locking error on malloc failuer 6080 mac port of kim should not depend on kipc 6081 Conditionalize building of CCAPI ccache type on USE_CCAPI 6083 profile write code should only quote empty strings 6087 Notify clients on ccache deletion 6088 Add support to send CFNotifications on ccache and cache collection changes 6090 k5_mutex_destroy calls pthread_mutex_destroy with mutex locked 6091 lean client changes 6093 KIM should not provide keytab functions when building lite framework 6094 CCAPI is leaking mach ports 6101 compile-time flag to disable iprop 6103 fix resource leak in USE_PASSWORD_SERVER code 6108 A client can fail to get initial creds if it changes the password while doing so. 6111 CCAPI should only use one pthread key 6120 increase rpc timeout 6121 dead code in lib/rpc/clnt_udp.c 6131 Removed argument from kipc_client_lookup_server 6133 don't do C99-style mixing declarations with code 6138 Switch KfM back to error tables 6140 CCAPI should use common ipc and stream code 6142 KerberosAgent dialogs jump around the screen 6143 KerberosAgent: Enter Identity text field shouldn't be clear automatically 6144 KerberosAgent: ignore user interaction while busy 6145 KerberosAgent attach associated dialogs to Select Identity dialog 6146 Client name passed by KIM is incorrect 6147 KerberosAgent Use Defaults button doesn't work 6151 Don't touch keychain if home directory access is disabled 6153 Add KLL error table 6154 Hinge building KLL shim off KIM_TO_KLL_SHIM, not LEAN_CLIENT 6155 KLLastChangedTime should return current time, not 0 6156 KLL shim layer does not correctly handle options 6157 KIM should remember options and identity if prefs indicate 6158 KerberosAgent should handle multiple clients simultaneously 6159 KerberosAgent should handle zoom button better 6160 KLL should use __attribute ((deprecated)) 6162 kim_options_copy should allow in_options to be KIM_OPTIONS_DEFAULT 6163 Crash in kim_credential_create_from_keytab 6164 KL APIs which take a NULL principal return klParameterErr 6165 kim_options_create sometimes returns KIM_OPTIONS_DEFAULT 6166 preferences should handle KIM_OPTIONS_DEFAULT 6168 prefs should not create empty dictionary for KIM_OPTIONS_DEFAULT 6169 Missing keys in KerberosAgent Info.plist 6170 change password should always reprompt on error 6171 allow kim ui plugins to have any name 6172 kim_ui_plugin_fini sends pointer to context instead of context. 6175 always zero out authentication strings 6176 Test KIM plugin 6179 kim_os_string_create_localized leaks CFStringRef 6181 Free error message returned by krb5_get_error_message 6182 kim test suite reports error messages incorrectly 6183 KerberosAgent enter identity dialog should use default 6184 handle stash file names with missing keytab type spec and colon in path 6185 Merge KerberosIPC into k5_mig support 6186 Move GUI/CLI detection from KerberosIPC into KIM 6187 use KIM_BUILTIN_UI instead of LEAN_CLIENT for builtin UI 6189 remove unused variable in kim_ui_cli_ask_change_password 6190 Use a context to store error table info 6192 Treat unreadable terminal as user cancelled so regression tests work 6193 Remap some of the more confusing krb5 errors 6194 Double free and leak in kim_os_library_get_application_path 6195 Added back KLL test programs 6197 KLCreatePrincipalFromTriplet should work with empty instance 6198 KerberosAgent continues to ignore mouse events after error 6199 don't include "WRFILE:" in call to mktemp 6201 small leak in KDC authdata plugins 6202 kadmind leaks extended error strings 6203 DELEG_POLICY_FLAG for GSS 6210 pa_sam leaks parts of krb5_sam_challenge 6211 pam_sam leaking outer krb5_data created by encode_krb5_sam_response 6214 krb5_change_set_password not freeing chpw_rep contents 6216 Free data in tests so leaks checking is easier 6217 kim_preferences should free old identity before overwriting 6218 kim_ccache_iterator_next leaks principal 6219 kim_os_library_get_caller_name leaks file path 6220 kim_identity_change_password_with_credential leaks krb5_creds 6221 KerberosAgent should clear generic auth prompt 6222 KerberosAgent enter dialog should add entered identities to favorites 6224 KerberosAgent 'no selection' placeholder in ticket options 6225 Remove ipc message sent on cc_context_release 6226 KIM should only display error dialogs if it has displayed UI already 6227 Apple LW_net_trans.patch make KDC rescan network after 30 seconds 6231 Apple split build support 6247 Apple patch: null out pointer in string_to_key after free 6248 Apple patch: destroy Mach ports on unload 6250 Use CFStringGetCStringPtr when possible 6251 Add test for kim_identity_create_from_components 6252 krb5_build_principal_va does not allocate krb5_principal 6254 krb5_build_principal_ext walks off beginning of array 6255 partial rewrite of the ASN.1 encoders 6256 localize format strings, not final error string 6260 KerberosAgent hangs changing pw for passwordless identities 6261 Remove saved password if it fails to get tickets 6262 Only prompt automatically from GUI apps 6264 Avoid duplicate identical dialogs in KIM 6265 KerberosAgent bindings causing crashes 6266 BIND_8_COMPAT no longer needed in Leopard 6267 Add _with_password credential acquisition functions to KIM API 6274 Crypto IOV API per Projects/AEAD encryption API 6282 krb5kdc deref uninit memory on the stack on unknown principal (pk-init) 6285 Provide SPI to switch the mach port lookup for kipc 6286 Allow kerberos configuration files fail with EPERM 6289 replay cache is insecurely handled 6290 KIM: Pushing authentication login window do application 6291 Using referrals fills the the credentials cache more entries of the same name 6294 lib/gssapi/krb5/init_sec_context.c: don't leak on mutex_lock failure 6295 Memory leak in KIM identity object 6297 "make check" fails due to krb5_cc_new_unique() on 64-bit Solaris SPARC under Sun Studio 6302 kadmind mem leaks [rdar 6358917] 6303 Remove krb4 support 6308 Alignment problem in resolver test 6309 update ldap plugin Makefile for krb4 removal 6315 move generated dependencies out of Makefile.in 6316 KIM GC problem on 64-bit 6335 test failures in password changing 6336 enctype negotiation - etype list 6337 kadmin should force non-forwardable tickets 6339 Fwd: krb5_sendauth vs NAGLE vs DelayedAck 6342 hash db2 code breaks if st_blksize > 64k 6348 kadmin and ktutil installed in sbin, should be bin 6349 lib/rpc tests should not fail if portmap/rpcbind not running 6351 gss_header|trailerlen should be unsigned int 6352 return correct kvno in TGS case 6354 Master Key Migration Project 6355 use t_inetd with a ready message and avoid waiting a lot in non-root tests 6356 small storage leak in KDC startup 6357 address lib/kadm5 test suite slowness 6358 speed up kpasswd tests 6360 utf8_conv.c: wrong level of indirection in free() 6361 new multi-masterkey support doesn't work well when system clock is set back 6362 don't do arithmetic on void pointers 6363 int/ptr bug in gssapi code 6364 declare replacement [v]asprintf functions 6365 include omitted system header string.h 6367 Fix a memory leak in krb5_kt_resolve 6368 chpw.c: missing break in switch statement 6370 Fix assertion in gc_frm_kdc.c 6371 deal with memleaks in migrate mkey project 6372 Fix memory handling bug in mk_req_ext 6373 remove some redundant or useless qualifiers 6374 Do not assume sizeof(bool_t) == sizeof(krb5_boolean) 6375 Fix error handling in krb5_walk_realm_tree 6376 Memory handling fixes in walk_rtree 6377 make krb5_free_* functions ignore NULL 6378 Change contract of krb5int_utf8_normalize and fix memory leaks 6379 Fix possible free of uninitialized value in walk_rtree 6390 --disable-rpath is not working 6392 Fix allocation failure check in walk_rtree 6393 Implement TGS authenticator subkey support 6397 use macros for config parameter strings 6398 remove obsolete GNU.ORG realm info 6400 GSSAPI authdata extraction should merge ticket and authenticator authdata 6401 send_as_req re-encodes the request 6402 CVE-2009-0845 SPNEGO can dereference a null pointer 6403 kdb5_ldap_util create segfaults when krb5_dbekd_encrypt_key_data() called 6405 fixing several bugs relating to the migrate mkey project using a LDAP KDB 6407 Make a working krb5_copy_error_message 6408 Report verbose error messages from KDC 6412 crash using library-allocated storage for header in wrap_iov 6415 Use correct salt for canonicalized principals 6418 Improve LDAP admin documentation 6419 Document alias support in LDAP back end 6420 Add LDAP back end support for canonical name attribute 6421 Implement KRB-FX_CF2 6422 Implement krb5int_find_authdata 6423 krb5_auth_con_free should support freeing a null auth_context without segfault. 6424 Call kdb_set_mkey_list from the KDC 6425 Memory leak cleanup in ASN.1 6427 Fix error handling issue in ASN.1 decoder 6431 Install kadmin and kdb headers 6432 Update kdb5_util man page for mkey migration project 6435 Add PAC and principal parsing test cases 6436 Implement FAST from draft-ietf-krb-wg-preauth-framework 6437 mark export grade RC4 as weak 6438 Handle authdata encrypted in subkey 6439 Implement KDC side of TGS FAST 6442 Null pointer defref in adding info 6443 CVE-2009-0844 SPNEGO can read beyond buffer end 6444 CVE-2009-0847 asn1buf_imbed incorrect length validation 6445 CVE-2009-0846 asn1_decode_generaltime can free uninitialized pointer 6449 Fall through on error return 6450 kdc: handle_referral_params does not return ENOMEM errors 6451 Update defaults in documentation 6452 Document allow_weak_crypto 6456 fix memory management in handle_referral_params 6457 KDC realm referral test 6458 use isflagset correctly in TGS referrals 6459 Update kdb5_util man page with missing purge_mkeys command 6460 Implement kinit option for FAST armor ccache 6461 Require fast_req checksum to be keyed 6462 clean up KDC realm referrals error handling 6463 realm referral test cases forcing KRB5_NT_UNKNOWN 6464 verify return code from krb5_db_set_mkey_list 6465 send_tgs.c static analyzer friendliness 6466 check encode_krb5_ap_req return in send_tgs.c 6467 new copy_data_contents variant that null-terminates 6468 k5_utf8s_to_ucs2s could deref NULL pointer... 6469 fcc_generate_new destroys locked mutex on error 6470 Send explicit salt for SALTTYPE_NORMAL keys 6472 typo in ksu error message 6473 strip ok-as-delegate if not in cross-realm TGT chain 6474 move kadmin, ktutil, k5srvutil man pages to man1 6475 Adding keys to malformed keytabs can infinitely extend the file 6477 make installed headers C++-safe 6478 Fix handling of RET_SEQUENCE flag in mk_priv/mk_ncred 6479 Add DEBUG_ERROR_LOCATIONS support 6480 Do not return PREAUTH_FAILED on unknown preauth 6482 Allow more than 10 past keys to be stored by a policy 6483 man1 in title header for man1 manpages 6484 work around Heimdal not using subkey in TGS-REP 6485 document ok_as_delegate in admin.texinfo 6486 t_pac fails on SPARC Solaris 6488 NFS fails to work with KRB5 1.7 6489 UCS2 support doesn't handle upper half of BMP 6490 Windows interop with RC4 TGS-REQ subkeys 6492 Remove spurious assertion in handle_authdata 6493 some fixes for 1.7 6495 Fix test rules for non-gmake make versions 6496 Fix vector initialization error in KDC preauth code 6497 kinit/fast usage message 6498 spnego_mech.c syntax error under _GSS_STATIC_LINK 6499 use printf format attribute only with gcc 6500 use correct type for krb5_c_prf_length length arg 6501 Temporarily disable FAST PKINIT for 1.7 release 6502 typo in doc/api/krb5.tex 6503 typo in admin.texinfo Copyright and Other Legal Notices --------------------------------- Copyright (C) 1985-2009 by the Massachusetts Institute of Technology. All rights reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original MIT software. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. Individual source code files are copyright MIT, Cygnus Support, Novell, OpenVision Technologies, Oracle, Red Hat, Sun Microsystems, FundsXpress, and others. Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, and Zephyr are trademarks of the Massachusetts Institute of Technology (MIT). No commercial use of these trademarks may be made without prior written permission of MIT. "Commercial use" means use of a name in a product or other for-profit manner. It does NOT prevent a commercial firm from referring to the MIT trademarks in order to convey information (although in doing so, recognition of their trademark status should be given). -------------------- Portions of src/lib/crypto have the following copyright: Copyright (C) 1998 by the FundsXpress, INC. All rights reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of FundsXpress. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. FundsXpress makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. -------------------- The following copyright and permission notice applies to the OpenVision Kerberos Administration system located in kadmin/create, kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions of lib/rpc: Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved WARNING: Retrieving the OpenVision Kerberos Administration system source code, as described below, indicates your acceptance of the following terms. If you do not agree to the following terms, do not retrieve the OpenVision Kerberos administration system. You may freely use and distribute the Source Code and Object Code compiled from it, with or without modification, but this Source Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY OTHER REASON. OpenVision retains all copyrights in the donated Source Code. OpenVision also retains copyright to derivative works of the Source Code, whether created by OpenVision or by a third party. The OpenVision copyright notice must be preserved if derivative works are made based on the donated Source Code. OpenVision Technologies, Inc. has donated this Kerberos Administration system to MIT for inclusion in the standard Kerberos 5 distribution. This donation underscores our commitment to continuing Kerberos technology development and our gratitude for the valuable work which has been performed by MIT and the Kerberos community. -------------------- Portions contributed by Matt Crawford were work performed at Fermi National Accelerator Laboratory, which is operated by Universities Research Association, Inc., under contract DE-AC02-76CHO3000 with the U.S. Department of Energy. -------------------- The implementation of the Yarrow pseudo-random number generator in src/lib/crypto/yarrow has the following copyright: Copyright 2000 by Zero-Knowledge Systems, Inc. Permission to use, copy, modify, distribute, and sell this software and its documentation for any purpose is hereby granted without fee, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Zero-Knowledge Systems, Inc. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Zero-Knowledge Systems, Inc. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. ZERO-KNOWLEDGE SYSTEMS, INC. DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL ZERO-KNOWLEDGE SYSTEMS, INC. BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -------------------- The implementation of the AES encryption algorithm in src/lib/crypto/aes has the following copyright: Copyright (c) 2001, Dr Brian Gladman , Worcester, UK. All rights reserved. LICENSE TERMS The free distribution and use of this software in both source and binary form is allowed (with or without changes) provided that: 1. distributions of this source code include the above copyright notice, this list of conditions and the following disclaimer; 2. distributions in binary form include the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other associated materials; 3. the copyright holder's name is not used to endorse products built using this software without specific written permission. DISCLAIMER This software is provided 'as is' with no explcit or implied warranties in respect of any properties, including, but not limited to, correctness and fitness for purpose. -------------------- Portions contributed by Red Hat, including the pre-authentication plug-ins framework, contain the following copyright: Copyright (c) 2006 Red Hat, Inc. Portions copyright (c) 2006 Massachusetts Institute of Technology All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of Red Hat, Inc., nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------- The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in src/lib/gssapi, including the following files: lib/gssapi/generic/gssapi_err_generic.et lib/gssapi/mechglue/g_accept_sec_context.c lib/gssapi/mechglue/g_acquire_cred.c lib/gssapi/mechglue/g_canon_name.c lib/gssapi/mechglue/g_compare_name.c lib/gssapi/mechglue/g_context_time.c lib/gssapi/mechglue/g_delete_sec_context.c lib/gssapi/mechglue/g_dsp_name.c lib/gssapi/mechglue/g_dsp_status.c lib/gssapi/mechglue/g_dup_name.c lib/gssapi/mechglue/g_exp_sec_context.c lib/gssapi/mechglue/g_export_name.c lib/gssapi/mechglue/g_glue.c lib/gssapi/mechglue/g_imp_name.c lib/gssapi/mechglue/g_imp_sec_context.c lib/gssapi/mechglue/g_init_sec_context.c lib/gssapi/mechglue/g_initialize.c lib/gssapi/mechglue/g_inquire_context.c lib/gssapi/mechglue/g_inquire_cred.c lib/gssapi/mechglue/g_inquire_names.c lib/gssapi/mechglue/g_process_context.c lib/gssapi/mechglue/g_rel_buffer.c lib/gssapi/mechglue/g_rel_cred.c lib/gssapi/mechglue/g_rel_name.c lib/gssapi/mechglue/g_rel_oid_set.c lib/gssapi/mechglue/g_seal.c lib/gssapi/mechglue/g_sign.c lib/gssapi/mechglue/g_store_cred.c lib/gssapi/mechglue/g_unseal.c lib/gssapi/mechglue/g_userok.c lib/gssapi/mechglue/g_utils.c lib/gssapi/mechglue/g_verify.c lib/gssapi/mechglue/gssd_pname_to_uid.c lib/gssapi/mechglue/mglueP.h lib/gssapi/mechglue/oid_ops.c lib/gssapi/spnego/gssapiP_spnego.h lib/gssapi/spnego/spnego_mech.c and the initial implementation of incremental propagation, including the following new or changed files: include/iprop_hdr.h kadmin/server/ipropd_svc.c lib/kdb/iprop.x lib/kdb/kdb_convert.c lib/kdb/kdb_log.c lib/kdb/kdb_log.h lib/krb5/error_tables/kdb5_err.et slave/kpropd_rpc.c slave/kproplog.c and marked portions of the following files: lib/krb5/os/hst_realm.c are subject to the following license: Copyright (c) 2004 Sun Microsystems, Inc. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -------------------- MIT Kerberos includes documentation and software developed at the University of California at Berkeley, which includes this copyright notice: Copyright (C) 1983 Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------- Portions contributed by Novell, Inc., including the LDAP database backend, are subject to the following license: Copyright (c) 2004-2005, Novell, Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * The copyright holder's name is not used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------- Portions funded by Sandia National Laboratory and developed by the University of Michigan's Center for Information Technology Integration, including the PKINIT implementation, are subject to the following license: COPYRIGHT (C) 2006-2007 THE REGENTS OF THE UNIVERSITY OF MICHIGAN ALL RIGHTS RESERVED Permission is granted to use, copy, create derivative works and redistribute this software and such derivative works for any purpose, so long as the name of The University of Michigan is not used in any advertising or publicity pertaining to the use of distribution of this software without specific, written prior authorization. If the above copyright notice or any other identification of the University of Michigan is included in any copy of any portion of this software, then the disclaimer below must also be included. THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. -------------------- The pkcs11.h file included in the PKINIT code has the following license: Copyright 2006 g10 Code GmbH Copyright 2006 Andreas Jellinghaus This file is free software; as a special exception the author gives unlimited permission to copy and/or distribute it, with or without modifications, as long as this notice is preserved. This file is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY, to the extent permitted by law; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. -------------------- Portions contributed by Apple Inc. are subject to the following license: Copyright 2004-2008 Apple Inc. All Rights Reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Apple Inc. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Apple Inc. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. -------------------- The implementations of strlcpy and strlcat in src/util/support/strlcat.c have the following copyright and permission notice: Copyright (c) 1998 Todd C. Miller Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -------------------- The implementations of UTF-8 string handling in src/util/support and src/lib/krb5/unicode are subject to the following copyright and permission notice: The OpenLDAP Public License Version 2.8, 17 August 2003 Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following conditions are met: 1. Redistributions in source form must retain copyright statements and notices, 2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution, and 3. Redistributions must contain a verbatim copy of this document. The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version number. You may use this Software under terms of this license revision or under the terms of any subsequent revision of the license. THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use or other dealing in this Software without specific, written prior permission. Title to copyright in this Software shall at all times remain with copyright holders. OpenLDAP is a registered trademark of the OpenLDAP Foundation. Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted. -------------------- Marked test programs in src/lib/krb5/krb have the following copyright: Copyright (c) 2006 Kungliga Tekniska Högskolan (Royal Institute of Technology, Stockholm, Sweden). All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of KTH nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Acknowledgements ---------------- Thanks to Red Hat for donating the pre-authentication plug-in framework. Thanks to Novell for donating the KDB abstraction layer and the LDAP database plug-in, and also code implementing the Microsoft protocol extensions. Thanks to Sun Microsystems for donating their implementations of mechglue, SPNEGO, master key rollover, and incremental propagation. Thanks to Dennis Ferguson for donating the DES implementation. Thanks to the members of the Kerberos V5 development team at MIT, both past and present: Danilo Almeida, Jeffrey Altman, Justin Anderson, Richard Basch, Jay Berkenbilt, Mitch Berger, Andrew Boardman, Joe Calzaretta, John Carr, Don Davis, Alexandra Ellwood, Nancy Gilman, Matt Hancher, Sam Hartman, Paul Hill, Marc Horowitz, Eva Jacobus, Miroslav Jurisic, Barry Jaspan, Geoffrey King, Kevin Koch, John Kohl, Peter Litwack, Scott McGuire, Kevin Mitchell, Cliff Neuman, Paul Park, Ezra Peisach, Chris Provenzano, Ken Raeburn, Jon Rochlis, Jeff Schiller, Jen Selby, Robert Silk, Brad Thompson, Harry Tsai, Zhanna Tsitkova, Ted Ts'o, Marshall Vale, Tom Yu.