Kerberos Version 5, Release 1.12 Release Notes The MIT Kerberos Team Copyright and Other Notices --------------------------- Copyright (C) 1985-2014 by the Massachusetts Institute of Technology and its contributors. All rights reserved. Please see the file named NOTICE for additional notices. Documentation ------------- Unified documentation for Kerberos V5 is available in both HTML and PDF formats. The table of contents of the HTML format documentation is at doc/html/index.html, and the PDF format documentation is in the doc/pdf directory. Additionally, you may find copies of the HTML format documentation online at http://web.mit.edu/kerberos/krb5-latest/doc/ for the most recent supported release, or at http://web.mit.edu/kerberos/krb5-devel/doc/ for the release under development. More information about Kerberos may be found at http://web.mit.edu/kerberos/ and at the MIT Kerberos Consortium web site http://kerberos.org/ Building and Installing Kerberos 5 ---------------------------------- Build documentation is in doc/html/build/index.html or doc/pdf/build.pdf. The installation guide is in doc/html/admin/install.html or doc/pdf/install.pdf. If you are attempting to build under Windows, please see the src/windows/README file. Reporting Bugs -------------- Please report any problems/bugs/comments by sending email to krb5-bugs@mit.edu. You may view bug reports by visiting http://krbdev.mit.edu/rt/ and using the "Guest Login" button. Please note that the web interface to our bug database is read-only for guests, and the primary way to interact with our bug database is via email. DES transition -------------- The Data Encryption Standard (DES) is widely recognized as weak. The krb5-1.7 release contains measures to encourage sites to migrate away from using single-DES cryptosystems. Among these is a configuration variable that enables "weak" enctypes, which defaults to "false" beginning with krb5-1.8. Major changes in 1.12.2 (2014-08-11) ------------------------------------ * Work around a gcc optimizer bug that could cause DB2 KDC database operations to spin in an infinite loop * Fix a backward compatibility problem with the LDAP KDB schema that could prevent krb5-1.11 and later from decoding entries created by krb5-1.6. * Avoid an infinite loop under some circumstances when the GSS mechglue loads a dynamic mechanism. * Fix krb5kdc argument parsing so "-w" and "-r" options work together reliably. * Handle certain invalid RFC 1964 GSS tokens correctly to avoid invalid memory reference vulnerabilities. [CVE-2014-4341 CVE-2014-4342] * Fix memory management vulnerabilities in GSSAPI SPNEGO. [CVE-2014-4343 CVE-2014-4344] * Fix buffer overflow vulnerability in LDAP KDB back end. [CVE-2014-4345] krb5-1.12.2 changes by ticket ID -------------------------------- 3277 configure --sysconfdir=/etc can make redundant entries in profile search paths 7793 preauth context leaks on failure 7818 Clean up rcache if GSS krb5 acquire_cred fails 7820 gss_init_sec_context() can ignore time sync with keyring caches 7822 Avoid assertion failure in error_message 7836 Allow empty store in gss_acquire_cred_from 7839 Reinitialize ulog when wrapping serial number 7849 kdc.conf(5) - 1.11 / 1.12 - inaccurate re. iprop_master_ulogsize 7853 Check for unstable ulog in ulog_get_entries 7854 Fix kpropd -x 7856 Support referrals from Windows Server 2003 7858 SPNEGO server responds incorrectly to Microsoft krb5 mech type 7860 libdb2 tests hang 7862 ksu broken with 2FA principals 7864 Update doc build instructions 7865 kdb5_util doc update: -update with -ov dump not needed since -r13 7866 improper malloc() handling in process_chpw_request() 7870 Conditionalize use of LDAP_OPT_DEBUG_LEVEL 7872 GSS krb5 sequence number checking fails on initial gap token 7874 Initialize err variable in krb5_sendto_kdc 7875 Fix memory leak in krb5_verify_init_creds 7876 Mention k5login_authoritative in k5login docs 7878 Fix unlikely double free in PKINIT client code 7881 Fix returning KDB_NOENTRY in find_alternate_tgs() 7890 Update example kadmin getprinc enctype display 7894 Get getopt from unistd.h (not getopt.h) in tests 7897 Fix leak in kadm5_flush with LDAP KDB 7902 Check for asprintf failure in kdb5_util create 7911 OTP RADIUS tries one too few times and times out too quickly 7912 Fix invalid JSON handling in KDC OTP module 7914 Problem with krb5int_c_combine_keys() 7916 pkinit doesn't handle slotid parameter properly 7917 pkinit doesn't deal with token label properly 7919 LDAP key data encoder/decoder does not treat KrbKey salt as optional 7920 Change example module name in host_config.rst 7924 tcl_kadm5.c is incompatible with Tcl 8.6 7926 1.12 breaks gssapi mechanisms that recursively call into libgssapi 7928 Do not document pkinit_mapping_file 7930 Add missing profile functions to libkrb5 exports 7931 Improve PKINIT certificate documentation 7932 Do not document pkinit_win2k 7941 Fix several memory leaks in LDAP KDB modules 7943 Fix error checking in PKINIT authdata creation 7945 krb5kdc -w and -r do not work together 7946 Consolidate DB option documentation 7948 Fix unlikely null dereference in mk_cred() 7949 Handle invalid RFC 1964 tokens [CVE-2014-4341 CVE-2014-4342] 7952 Fix unlikely null dereference in TGS client code 7954 Remove indent workaround in man page RST sources 7955 Fix build on systems without RTM_OLD* 7966 Fix leak on GSS module symbol resolution error 7967 Error when building with "make -j8" 7969 Double-free in initiator during SPNEGO renegotiation [CVE-2014-4343] 7970 NULL dereference in SPNEGO acceptor for continuation tokens [CVE-2014-4344] 7971 Fix deleted node handling in libprofile 7972 Fix creation/rename of top-level profile sections 7973 Bad calloc test in krb5_authdata_context_init() 7980 LDAP key data segmentation buffer overflow [CVE-2014-4345] 7982 Use zapfree in krb5_decrypt_tkt_part Major changes in 1.12.1 (2014-01-15) ------------------------------------ * Make KDC log service principal names more consistently during some error conditions, instead of "" * Fix several bugs related to building AES-NI support on less common configurations * Fix several bugs related to keyring credential caches krb5-1.12.1 changes by ticket ID -------------------------------- 5566 krb5-send-pr is difficult to use and largely unnecessary 7045 SPNEGO can't display mechanism errors 7791 S4U2Self fails with Windows 2008 7794 Avoid malloc(0) in SPNEGO get_input_token 7797 Fix SPNEGO one-hop interop against old IIS 7802 KDC sometimes fails to log principal names 7803 Fix memory leak in SPNEGO initiator 7805 Potential leaks in error paths in acquire_accept_cred 7806 Clarify klist -s documentation 7807 Fix krb5_copy_context 7808 Test for verto_set_flags in system libverto 7809 klist displays bad error for nonexistent KEYRING ccache 7810 keyring ccache tests can fail if keyctl purge subcommand is unavailable 7811 Test bogus KDC-REQs 7812 AES-NI support can break OS X build 7813 AES-NI support in 1.12 and executable stacks 7814 Session keyring caches don't work if session keyring not set (with current Linux) 7815 Text relocations in iaesx86.s 7817 Fix typo in sphinx manpage output 7821 Sort file list for msgfmt Major changes in 1.12 (2013-12-10) ---------------------------------- Developer experience: * Add a plugin interface to control krb5_aname_to_localname and krb5_kuserok behavior. * Add a plugin interface to control hostname-to-realm mappings and the default realm. * Add GSSAPI extensions for constructing MIC tokens using IOV lists. Administrator experience: * Principal entries may now refer to the names of policies which do not exist as policy objects in the database. Policy objects may now be deleted whether or not principals reference their names. A principal which references a nonexistent policy name will behave as if it does not reference a policy. * Add support for having no long-term keys for a principal. This can be useful if the principal is only intended to be used with PKINIT or OTP preauthentication. * Add collection support to the KEYRING credential cache type on Linux, and add support for persistent user keyrings and larger credentials on systems which support them. * Add a FAST OTP preauthentication module for the KDC which uses RADIUS to validate OTP token values. * Add an experimental pluggable interface for auditing KDC processing. This interface may change in a backwards-incompatible way in a future release. Performance: * The AES-based encryption types will use AES-NI instructions when possible for improved performance. krb5-1.12 changes by ticket ID ------------------------------ 1445 GSSAPI can fail to generate error in GSS_C_NO_CREDENTIAL case 1539 tests should test getting renewable tickets 2602 Don't reject renewable of non-renewable tickets 3206 gss_acquire_cred with GSS_C_BOTH or GSS_C_INITIATE should work with keytab creds 6429 KDC prefers built-in preauth to plugins 6507 kdb5_util update_princ_encryption uses latest mkey instead of active mkey 6948 Funny klist output if you try to get credentials right when a ticket expires 7172 Credential collection doesn't include DIR subsidiary default cache 7296 issues in handling special characters in KDC ldap plugin code 7385 Policy deletion should not rely on refcounts 7465 minimum iteration count for PBKDF2 7511 Fix minor int overflow and null pointer problems 7517 Pass through module errors when preauthenticating 7518 Delete timestamp_to_sfstring sprintf fallback 7520 Make kproplog consistently treat ulog as a circular buffer 7522 Propagate policy changes over iprop via full dump 7524 Fix gss_str_to_oid and gss_oid_to_str edge cases 7529 Install pkg-config data files 7535 Stop loading policy for pw_expiration in LDAP 7550 Fix iprop log reinitialization 7551 Add LDAP debug DB option 7552 Remove ulog_check(); the ulog is not a DB journal 7555 Don't squash name type for cross TGT requests 7556 Fix COPY_FIRST_CANONNAME hostent search 7564 Remove -b6 and -old dump formats 7565 Desupport krb5_auth_con_setivector 7583 Add localauth pluggable interface 7584 krb5_free_ktypes() needs a prototype in krb5.h 7585 t_oid.o not deleted when make clean run 7589 Add support for k5srvutil -e keysalts 7590 PKINIT needs to use the prompter callback for PEM files 7598 Add support for client keytab from cred store 7599 Add krb5_kt_dup API and use it in two places 7603 Allow numeric addresses as service hostnames 7604 Dynamically expand timeout when TCP connects 7608 improve kadmin manpage "-e" description 7620 libgssrpc is missing from krb5-config and pkg-config 7625 Don't use "bool" for ASN.1 boolean macros 7628 Fix link line for t_fortuna when built with openssl 7629 src/util/support/plugins.c dependencies 7630 Make AS requests work with no client keys 7631 No-effect statement in builtin crypto 7632 LDAP password file errors not helpful enough 7634 Fix crypto openssl hmac warning 7635 Add test case for CVE-2013-1416 7636 kinit checks for "KDB" keytab prefix, not "KDB:" 7642 Can't get initial creds with empty password via API 7643 Fix rc4 string-to-key on unterminated inputs 7645 Add AES-NI support on x86/x64 platforms 7648 Change message macro for configure selection 7651 Link dbtest with libkrb5support 7652 Fix warnings in dbtest.c 7656 Fix spurious clock skew caused by preauth delay 7657 Use KDC clock skew for AS-REQ timestamps 7661 Refactor KDC renewable ticket handling 7662 Assertion `password->length >0' failed 7663 FAST options bit ordering is backwards 7665 Provide plugin module ordering guarantees 7673 Use better URL for kerberos documentation (in KfW) 7678 Add libkrad 7679 Add kadmin support for principals without keys 7680 Add PKINIT responder support 7681 Allow self-service for kadmin purgekeys RPC 7682 Mechglue dynamic initialization functions miss some functions 7683 Update config.guess and config.sub 7684 Don't reopen the KDB in update_princ_encryption 7685 kadmind caches master key activation times 7686 Master key rollover mishandles databases created prior to 1.7 7687 Add hostrealm pluggable interface definition 7688 Fix gss_krb5_set_allowable_enctypes for acceptor 7689 kinit can create duplicate ccache in collection with default principal 7690 Remove redundant domain_realm mappings 7691 Remove KRB5_DNS_LOOKUP_KDC 7692 Save the full residual for keyring caches 7693 Add a note about how to apply/remove policies 7695 krb5-1.11.3/1.10.6 - full resync may fail and still result in ulog being updated 7697 Omit signedpath if no_auth_data_required is set 7698 Service principal aliases broken in 1.11 KDC 7699 Make it possible to renew aliased service tickets 7700 Support FAST hide-client-names option 7701 Fix FAST critical option bit checking 7703 Add a flag to prevent all host canonicalization 7705 Add GSSAPI IOV MIC functions 7706 Export/Import creds breaks with delegated credentials 7709 Wrong order in kdc_check_transited_list() 7711 Add collection support for KEYRING ccache type 7712 KDC Audit infrastructure and plugin implementation 7713 Fix audit test module initialization 7715 Change KRB5KDC_ERR_NO_ACCEPTABLE_KDF to 100 7718 Use protocol error for PKINIT cert expiry 7719 Discuss cert expiry, no-key princs in PKINIT docs 7722 Add missing entries to tests/gssapi Makefile.in 7730 Fix typos in kdb5_util master key command outputs 7732 Document master key rollover 7733 afs3 salt contaminates later enctypes in the list at key generation time 7738 Fix decoding of mkey kvno in mkey_aux tl-data 7739 Improve LDAP KDB initialization error messages 7740 Accept anonymous GSS names in kadmind 7741 Use correct default principal for kadmin -n 7751 Clarify kpropd standalone mode documentation 7755 Multi-realm KDC null deref [CVE-2013-1418] 7759 Clarify realm and dbmodules configuration docs 7764 Catch more strtol() failures when using KEYRINGs 7768 Add support to store time offsets in cc_keyring 7769 Set expiration time on keys and keyrings 7770 kadmind does not log IPv6 requests properly 7771 Remove dangling --with-kdc-kdb-update references 7773 Clarify lockout replication issues in docs 7774 Correct kadm5.acl back-reference documentation 7775 Improve default ccache name API documentation 7776 Added a new ccache doc to "Kerberos V5 concepts" 7777 krb5-admin doc update: `kdb5_util dump` default format is now "krb5_util load_dump version 7" 7785 Fix error message quotations in install_kdc.rst Acknowledgements ---------------- Past and present Sponsors of the MIT Kerberos Consortium: Apple Carnegie Mellon University Centrify Corporation Columbia University Cornell University The Department of Defense of the United States of America (DoD) Fidelity Investments Google Iowa State University MIT Michigan State University Microsoft The National Aeronautics and Space Administration of the United States of America (NASA) Network Appliance (NetApp) Nippon Telephone and Telegraph (NTT) Oracle Pennsylvania State University Red Hat Stanford University TeamF1, Inc. The University of Alaska The University of Michigan The University of Pennsylvania Past and present members of the Kerberos Team at MIT: Danilo Almeida Jeffrey Altman Justin Anderson Richard Basch Mitch Berger Jay Berkenbilt Andrew Boardman Bill Bryant Steve Buckley Joe Calzaretta John Carr Mark Colan Don Davis Alexandra Ellwood Carlos Garay Dan Geer Nancy Gilman Matt Hancher Thomas Hardjono Sam Hartman Paul Hill Marc Horowitz Eva Jacobus Miroslav Jurisic Barry Jaspan Benjamin Kaduk Geoffrey King Kevin Koch John Kohl HaoQi Li Jonathan Lin Peter Litwack Scott McGuire Steve Miller Kevin Mitchell Cliff Neuman Paul Park Ezra Peisach Chris Provenzano Ken Raeburn Jon Rochlis Jeff Schiller Jen Selby Robert Silk Bill Sommerfeld Jennifer Steiner Ralph Swick Brad Thompson Harry Tsai Zhanna Tsitkova Ted Ts'o Marshall Vale Tom Yu The following external contributors have provided code, patches, bug reports, suggestions, and valuable resources: Ian Abbott Brandon Allbery Russell Allbery Brian Almeida Michael B Allen Heinz-Ado Arnolds Derek Atkins Mark Bannister David Bantz Alex Baule David Benjamin Adam Bernstein Arlene Berry Jeff Blaine Radoslav Bodo Sumit Bose Emmanuel Bouillon Michael Calmer Andrea Campi Julien Chaffraix Ravi Channavajhala Srinivas Cheruku Leonardo Chiquitto Howard Chu Andrea Cirulli Christopher D. Clausen Kevin Coffman Simon Cooper Sylvain Cortes Arran Cudbard-Bell Jeff D'Angelo Nalin Dahyabhai Mark Davies Dennis Davis Alex Dehnert Mark Deneen Günther Deschner Roland Dowdeswell Viktor Dukhovni Jason Edgecombe Mark Eichin Shawn M. Emery Douglas E. Engert Peter Eriksson Juha Erkkilä Gilles Espinasse Ronni Feldt Bill Fellows JC Ferguson William Fiveash Ákos Frohner Sebastian Galiano Marcus Granado Scott Grizzard Helmut Grohne Steve Grubb Philip Guenther Dominic Hargreaves Robbie Harwood Jakob Haufe Matthieu Hautreux Paul B. Henson Jeff Hodges Christopher Hogan Love Hörnquist Åstrand Ken Hornstein Henry B. Hotz Luke Howard Jakub Hrozek Shumon Huque Jeffrey Hutzelman Wyllys Ingersoll Holger Isenberg Pavel Jindra Joel Johnson Anders Kaseorg W. Trevor King Mikkel Kruse Reinhard Kugler Tomas Kuthan Pierre Labastie Volker Lendecke Jan iankko Lieskovsky Oliver Loch Kevin Longfellow Nuno Lopes Ryan Lynch Nathaniel McCallum Greg McClement Cameron Meadors Alexey Melnikov Franklyn Mendez Markus Moeller Kyle Moffett Paul Moore Keiichi Mori Michael Morony Zbysek Mraz Edward Murrell Nikos Nikoleris Felipe Ortega Andrej Ota Dmitri Pal Javier Palacios Tom Parker Ezra Peisach W. Michael Petullo Mark Phalan Jonathan Reams Robert Relyea Martin Rex Jason Rogers Nate Rosenblum Mike Roszkowski Guillaume Rousse Tom Shaw Jim Shi Peter Shoults Simo Sorce Michael Spang Michael Ströder Bjørn Tore Sund Joe Travaglini Rathor Vipin Denis Vlasenko Jorgen Wahlsten Stef Walter Max (Weijun) Wang John Washington Stef Walter Xi Wang Kevin Wasserman Margaret Wasserman Marcus Watts Andreas Wiese Simon Wilkinson Nicolas Williams Ross Wilper Augustin Wolf David Woodhouse Xu Qiang Nickolai Zeldovich Hanz van Zijst Gertjan Zwartjes The above is not an exhaustive list; many others have contributed in various ways to the MIT Kerberos development effort over the years. Other acknowledgments (for bug reports and patches) are in the doc/CHANGES file.