Kerberos Version 5, Release 1.6.2 Release Notes The MIT Kerberos Team Unpacking the Source Distribution --------------------------------- The source distribution of Kerberos 5 comes in a gzipped tarfile, krb5-1.6.2.tar.gz. Instructions on how to extract the entire distribution follow. If you have the GNU tar program and gzip installed, you can simply do: gtar zxpf krb5-1.6.2.tar.gz If you don't have GNU tar, you will need to get the FSF gzip distribution and use gzcat: gzcat krb5-1.6.2.tar.gz | tar xpf - Both of these methods will extract the sources into krb5-1.6.2/src and the documentation into krb5-1.6.2/doc. Building and Installing Kerberos 5 ---------------------------------- The first file you should look at is doc/install-guide.ps; it contains the notes for building and installing Kerberos 5. The info file krb5-install.info has the same information in info file format. You can view this using the GNU emacs info-mode, or by using the standalone info file viewer from the Free Software Foundation. This is also available as an HTML file, install.html. Other good files to look at are admin-guide.ps and user-guide.ps, which contain the system administrator's guide, and the user's guide, respectively. They are also available as info files kerberos-admin.info and krb5-user.info, respectively. These files are also available as HTML files. If you are attempting to build under Windows, please see the src/windows/README file. Reporting Bugs -------------- Please report any problems/bugs/comments using the krb5-send-pr program. The krb5-send-pr program will be installed in the sbin directory once you have successfully compiled and installed Kerberos V5 (or if you have installed one of our binary distributions). If you are not able to use krb5-send-pr because you haven't been able compile and install Kerberos V5 on any platform, you may send mail to krb5-bugs@mit.edu. You may view bug reports by visiting http://krbdev.mit.edu/rt/ and logging in as "guest" with password "guest". Major changes in krb5-1.6.2 --------------------------- [5585] fix MITKRB5-SA-2007-004: kadmind affected by multiple RPC library vulnerabilities [CVE-2007-2442/VU#356961, CVE-2007-2443/VU#365313] [5586] fix MITKRB5-SA-2007-005: kadmind vulnerable to buffer overflow [CVE-2007-2798/VU#554257] krb5-1.6.2 changes by ticket ID ------------------------------- 5541 remove debugging code accidentally left in ftp/cmds.c 5546 race condition in referrals fallback 5547 profile stores empty string values without double quotes 5551 rd_req_decoded needs to deal with referral realms 5552 minor incompatability krb5-1.6.1 and OpenSSH_4.6p1, OpenSSL 0.9.8e 5554 Modify WIX installer to better support upgrading betas 5573 Kfw 3.2.0.msi is missing a file krb5/krb5.h 5579 krb5_walk_realm_tree leaks in capaths case 5585 fix MITKRB5-SA-2007-004 [CVE-2007-2442/VU#356961, CVE-2007-2443/VU#365313] 5586 fix MITKRB5-SA-2007-005 [CVE-2007-2798/VU#554257] Major changes in krb5-1.6.1 --------------------------- [5508] Fix MITKRB5-SA-2007-001: telnetd allows login as arbitrary user [CVE-2007-0956, VU#220816] [5507] Fix MITKRB5-SA-2007-002: buffer overflow in krb5_klog_syslog [CVE-2007-0957, VU#704024] [5445] Fix MITKRB5-SA-2007-003: double-free in kadmind - the RPC library could perform a double-free due to a GSS-API library bug [CVE-2007-1216, VU#419344] [5293] fix crash creating db2 database in non-existent directory krb5-1.6.1 changes by ticket ID ------------------------------- Listed below are the RT tickets of bugs fixed in krb5-1.6.1. Please see http://krbdev.mit.edu/rt/NoAuth/krb5-1.6/fixed-1.6.1.html for a current listing with links to the complete tickets. 2724 kdc.conf man page typo in v4_mode section 5233 Change in behaviour in gss_release_buffer() by mechtypes introduces memory leak 5238 fix leak in gss_krb5int_unseal_token_v3 5246 Memory leak in tests/gssapi/t_imp_name.c 5257 error on gethostbyname is tested on errno instead of h_errno 5293 crash creating db2 database in non-existent directory 5294 create KDC database directory 5343 updated Windows README 5344 Update to KFW NSIS installer 5349 Proposed implementation of krb5_server_decrypt_ticket_keyblock and krb5_server_decrypt_ticket_keytab 5353 kfw wix installer - memory overwrite error 5393 krb5-1.6: tcp kpasswd service required if only admin_server is specified in krb5.conf 5394 krb5-1.6: segfault on password change 5396 Master ticket for NetIdMgr 1.2 commits 5397 NIM string tables 5398 NIM Kerberos v4 configuration dialog 5399 NIM Correct Visual Identity Expiration Status 5400 NIM Kerberos 5 Provider corrections 5403 Add KDC timesyncing support to the CCAPI ccache backend 5408 NIM - Context sensitive system tray menu and more 5409 KFW MSI installer corrections 5410 kt_file.c memory leak on error in krb5_kt_resolve / krb5_kt_wresolve 5414 NIM Bug Fixes 5418 KFW: 32-bit builds use the pismere krbv4w32.dll library 5419 Microsoft Windows Visual Studio does not define ssize_t 5420 get_init_creds_opt extensibility 5437 hack to permit GetEnvironmentVariable usage without requiring getenv() conversion 5445 gsstest doesn't like krb5-1.6 GSSAPI library [also MITKRB5-SA-2007-003] 5446 KfW 3.1: stderr of kinit/klist/kdestroy cannot be re-directed to file 5447 tail portability bug in k5srvutil 5452 NIM Improved Alert Management 5453 Windows - some apps define ssize_t as a preprocessor symbol 5454 krb5_get_cred_from_kdc fails to null terminate the tgt list 5455 valgrind detects uninitialized (but really unused) bytes in 'queue' 5457 More existence tests; path update 5458 osf1: get proper library dependencies installed 5461 reverting commit to windows WIX installer (revision 19207) 5469 KFW: Vista Integrated Logon 5476 Zero sockaddrs in fai_add_entry() so we can compare them with memcmp() 5477 Enable Vista support for MSLSA 5478 NIM: New Default View and miscellaneous fixes 5480 krb5 library uses kdc.conf when it shouldn't 5490 KfW build automation 5491 WIX installer stores WinLogon event handler under wrong registry value 5492 remove unwanted files from kfw build script 5493 KFW: problems with non-interactive logons 5495 NIM commits for KFW 3.2 Beta 1 5496 more bug fixes for NIM 1.2 (KFW 3.2) 5503 msi deployment guide updates for KFW 3.2 5504 Network Identity Manager 1.2 User Manual 5505 More commits for NIM 1.2 Beta 1 5507 MITKRB5-SA-2007-002: buffer overflow in krb5_klog_syslog 5508 MITKRB5-SA-2007-001: telnetd allows login as arbitrary user 5509 service location plugin returning no addresses handled incorrectly 5510 krb5int_open_plugin_dirs errors out if directory does not exist 5514 wix installer - modify file list 5515 KFW NSIS installer - copyright updates and aklog removal 5516 NIM 1.2.0.1 corrections 5518 EAI_NODATA deprecated, not always defined 5521 KfW build system (post kfw-3.2-beta1) 5522 NIM 3.2 documentation update 5523 KFW 3.2 Beta 2 commits 5524 NIM doxyfile.cfg - update to Doxygen 1.5.2 5525 NIM 1.2 HtmlHelp User Documentation 5526 NIM - Fix taskbar button visibility on Vista 5527 kfw build - include netidmgr_userdoc.pdf in zip file 5528 Add vertical scrollbars to realm fields in dialogs 5529 Missing version resource info on krb5 files 5530 KFW 3.2.0.7002 about dialogue will not respond to alt-f4 5532 KFW Network Provider Improvements 5533 updates for NIM developer documentation 5534 kfwlogon corrections for XP 5535 More NIM Developer documentation updates 5537 only check current dir for a.tmp 5539 add option to export instead of checkout, etc. Major changes in krb5-1.6 ------------------------- * Partial client implementation to handle server name referrals. * Pre-authentication plug-in framework, donated by Red Hat. * LDAP KDB plug-in, donated by Novell. * Fix for MITKRB5-SA-2006-002: the RPC library could call an uninitialized function pointer, which created a security vulnerability for kadmind. * Fix for MITKRB5-SA-2006-003: the GSS-API mechglue layer could fail to initialize some output pointers, causing callers to attempt to free uninitialized pointers. This caused a security vulnerability in kadmind. Note that the implementation of referral handling involves a change to the behavior of krb5_sname_to_principal() to return a zero-length realm name if it is unable to find the realm corresponding to the hostname. This special realm name signals the ticket-acquisition code to request KDC canonicalization of service principal names. Other library code has changed to accommodate this new behavior. This particular method of implementing service principal name referral handling may change in the future; we invite discussion on this subject. Major known bugs in krb5-1.6 ---------------------------- 5293 crash creating db2 database in non-existent directory Attempting to create a KDB in a non-existent directory using the Berkeley DB back end may cause a crash resulting from a null pointer dereference. If a core dump occurs, this may cause a local exposure of sensitive information such a master key password. This will be fixed in an upcoming patch release. krb5-1.6 changes by ticket ID ----------------------------- Listed below are the RT tickets of bugs fixed in krb5-1.6. Please see http://krbdev.mit.edu/rt/NoAuth/krb5-1.6/fixed-1.6.html for a current listing with links to the complete tickets. 1204 Unable to get a TGT cross-realm referral 2087 undocumented options for kpropd 2240 krb5-config --cflags gssapi when used by OpenSSH-snap-20040212 2579 kdc: add_to_transited may reference off end of array... 2652 Add support for referrals 2876 Tree does not compile with GCC 4.0 2935 KDB/LDAP backend 3089 krb5_verify_init_creds() is not thread safe 3091 add krb5_cc_new_unique() 3218 kdb5_util load requires that the dumpfile be writable. 3276 local array of structures not declared static 3288 NetIdMgr cannot obtain Kerberos 5 tickets containing addresses 3322 get_cred_via_tkt() checks too strict on server principal 3522 Error code definitions are outside macros to prevent multiple inclusion in public headers 3642 changes for embedding manifest into dlls and exes 3735 Add TCP change/set password support 3947 allow multiple calls to krb5_get_error_message to retrieve message 3955 check calling conventions specified for Windows 3961 fix stdcc.c to build without USE_CCAPI_V3 4021 use GSS_C_NO_CHANNEL_BINDINGS not NULL in lib/rpc/auth_gss.c 4023 Turn off KLL automatic prompting support in kadmin 4024 gss_acquire_cred auto prompt support shouldn't break gss_krb5_ccache_name() 4025 need to look harder for tclConfig.sh 4055 remove unused Metrowerks support from yarrow 4056 g_canon_name.c if-statement warning cleanup 4057 GSSAPI opaque types should be pointers to opaque structs, not void* 4256 Make process error 4292 LDAP error prevents KfM 6.0 from building on Tiger 4294 Bad loop logic in krb5_mcc_generate_new 4304 audit referrals merge (R18598) 4327 doc/krb5-protocol out of date 4389 cursor for iterating over ccaches 4412 Don't segfault if a preauth plugin module fails to load 4453 krb5-1.6-pre: fix warnings/ improve 64bit compatibility in the ldap plugin 4454 krb5-1.6-pre: kdb5_ldap_util stashsrvpw does not work 4455 IRIX build fails w/ GCC 4.0 (really GNU ld) 4482 enabling LDAP mix-in support for kdb5_util load 4488 osf1 -oldstyle_liblookup typo 4495 Avoid segfault in krb5_do_preauth_tryagain 4496 fix invalid access found by valgrind 4501 fix krb5_ldap_iterate to handle NULL match_expr and open_db_and_mkey to use KRB5_KDB_SRV_TYPE_ADMIN 4534 don't confuse profile iterator in 425 princ conversion 4561 UC Berkeley BSD license change 4562 latest Novell ldap patches and kdb5_util dump support for ldap 4566 leaks in preauth plugin support 4567 KDC can crash for certain client requests when preauth plugins are used 4587 Change preauth plugin context scope and lifetimes 4624 remove t_prf and t_prf.o on make clean 4625 Make clean in lib/kdb leaves error table files 4657 krb5.h not C++-safe due to "struct krb5_cccol_cursor" 4683 Remove obsolete/conflicting prototype for krb524_convert_princs 4688 Add public function to get keylength associated with an enctype 4689 Update minor version numbers for 1.6 4690 Add "get_data" function to the client preauth plugin interface 4692 Document changing the krbtgt key 4693 Delay kadmind random number initialization until after fork 4735 more Novell ldap patches from Nov 6 and Fix for wrong password policy reference count 4737 correct client preauth plugin request_context 4738 allow server preauth plugin verify_padata function to return e-data 4739 cccursor backend for CCAPI 4755 update copyrights and acknowledgments 4770 Add macros for __attribute__((deprecated)) for krb4 and des APIs 4771 LDAP patch from Novell, 2006-10-13 4772 fix some warnings in ldap code 4773 fix warning in preauth_plugin.h header 4774 avoid double frees in ccache manipulation around gen_new 4775 include realm in "can't resolve KDC" error message 4784 krb5_stdccv3_generate_new returns NULL ccache 4788 ccache double free in krb5_fcc_read_addrs(). 4799 krb5_c_keylength -> krb5_c_keylengths; add krb5_c_random_to_key 4805 replace existing calls of cc_gen_new() 4841 free error message when freeing context 4846 clean up preauth2 salt debug code 4860 fix LDAP plugin Makefile.in lib frag substitutions 4928 krb5int_copy_data_contents shouldn't free memory it didn't allocate 4941 referrals changes to telnet have unconditional debugging printfs 4942 skip all modules in plugin if init function fails 4955 Referrals code breaks krb5_set_password_using_ccache to Active Directory 4967 referrals support assumes all rewrites produce TGS principals 4972 return edata from non-PA_REQUIRED preauth types 4973 send a new request with the new padata returned by krb5_do_preauth_tryagain() 4980 Remove unused prototype for krb5_find_config_files 4981 Make clean in lib/krb5/os does not clean test objs 4991 fix for kdb5_util load bug with dumps from a LDAP KDB 4994 minor update to kdb5_util man page for LDAP plugin 5003 krb5_cc_remove should work for the CCAPI 5005 Reading maxlife, maxrenewlife and ticket flags from conf file in LDAP plugin 5009 kadmin.local with LDAP backend fails to start when master key enctype is not default enctype 5022 build the trunk on Windows (again) 5027 admin guide changes for the LDAP backend 5032 Don't leak padata when looping for krb5_do_preauth_tryagain() 5090 krb5_get_init_creds_opt_set_change_password_prompt 5115 krb5_rc_io_open_internal on error will call close(-1) 5116 minor ldap specific changes in man page 5121 keytab code can't match principals with realms not yet determined 5123 don't pass null pointer to krb5_do_preauth_tryagain() 5124 use KRB5KRB_ERR_GENERIC, not KRB_ERR_GENERIC in preauth2.c 5125 Add -clearpolicy to kadmin addprinc usage 5152 misc cleanups in admin guide ldap sections 5159 don't split HTML output from makeinfo 5223 Fix typo in user-guide.texinfo 5245 Repair broken links in NetIdMgr Help 5260 Deletion of principal fails 5265 update ldap/Makefile.in for newer autoconf substitution requirements 5271 Document KDC behavior without stash file 5279 Document what the kadmind ACL is for 5301 MITKRB5-SA-2006-002: svctcp_destroy() can call uninitialized function pointer 5302 MITKRB5-SA-2006-003: mechglue argument handling too lax Copyright and Other Legal Notices --------------------------------- Copyright (C) 1985-2007 by the Massachusetts Institute of Technology. All rights reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original MIT software. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. Individual source code files are copyright MIT, Cygnus Support, Novell, OpenVision Technologies, Oracle, Red Hat, Sun Microsystems, FundsXpress, and others. Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, and Zephyr are trademarks of the Massachusetts Institute of Technology (MIT). No commercial use of these trademarks may be made without prior written permission of MIT. "Commercial use" means use of a name in a product or other for-profit manner. It does NOT prevent a commercial firm from referring to the MIT trademarks in order to convey information (although in doing so, recognition of their trademark status should be given). -------------------- Portions of src/lib/crypto have the following copyright: Copyright (C) 1998 by the FundsXpress, INC. All rights reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of FundsXpress. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. FundsXpress makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. -------------------- The following copyright and permission notice applies to the OpenVision Kerberos Administration system located in kadmin/create, kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions of lib/rpc: Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved WARNING: Retrieving the OpenVision Kerberos Administration system source code, as described below, indicates your acceptance of the following terms. If you do not agree to the following terms, do not retrieve the OpenVision Kerberos administration system. You may freely use and distribute the Source Code and Object Code compiled from it, with or without modification, but this Source Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY OTHER REASON. OpenVision retains all copyrights in the donated Source Code. OpenVision also retains copyright to derivative works of the Source Code, whether created by OpenVision or by a third party. The OpenVision copyright notice must be preserved if derivative works are made based on the donated Source Code. OpenVision Technologies, Inc. has donated this Kerberos Administration system to MIT for inclusion in the standard Kerberos 5 distribution. This donation underscores our commitment to continuing Kerberos technology development and our gratitude for the valuable work which has been performed by MIT and the Kerberos community. -------------------- Portions contributed by Matt Crawford were work performed at Fermi National Accelerator Laboratory, which is operated by Universities Research Association, Inc., under contract DE-AC02-76CHO3000 with the U.S. Department of Energy. -------------------- The implementation of the Yarrow pseudo-random number generator in src/lib/crypto/yarrow has the following copyright: Copyright 2000 by Zero-Knowledge Systems, Inc. Permission to use, copy, modify, distribute, and sell this software and its documentation for any purpose is hereby granted without fee, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Zero-Knowledge Systems, Inc. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Zero-Knowledge Systems, Inc. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. ZERO-KNOWLEDGE SYSTEMS, INC. DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL ZERO-KNOWLEDGE SYSTEMS, INC. BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -------------------- The implementation of the AES encryption algorithm in src/lib/crypto/aes has the following copyright: Copyright (c) 2001, Dr Brian Gladman , Worcester, UK. All rights reserved. LICENSE TERMS The free distribution and use of this software in both source and binary form is allowed (with or without changes) provided that: 1. distributions of this source code include the above copyright notice, this list of conditions and the following disclaimer; 2. distributions in binary form include the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other associated materials; 3. the copyright holder's name is not used to endorse products built using this software without specific written permission. DISCLAIMER This software is provided 'as is' with no explcit or implied warranties in respect of any properties, including, but not limited to, correctness and fitness for purpose. -------------------- Portions contributed by Red Hat, including the pre-authentication plug-ins framework, contain the following copyright: Copyright (c) 2006 Red Hat, Inc. Portions copyright (c) 2006 Massachusetts Institute of Technology All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of Red Hat, Inc., nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------- The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in src/lib/gssapi, including the following files: lib/gssapi/generic/gssapi_err_generic.et lib/gssapi/mechglue/g_accept_sec_context.c lib/gssapi/mechglue/g_acquire_cred.c lib/gssapi/mechglue/g_canon_name.c lib/gssapi/mechglue/g_compare_name.c lib/gssapi/mechglue/g_context_time.c lib/gssapi/mechglue/g_delete_sec_context.c lib/gssapi/mechglue/g_dsp_name.c lib/gssapi/mechglue/g_dsp_status.c lib/gssapi/mechglue/g_dup_name.c lib/gssapi/mechglue/g_exp_sec_context.c lib/gssapi/mechglue/g_export_name.c lib/gssapi/mechglue/g_glue.c lib/gssapi/mechglue/g_imp_name.c lib/gssapi/mechglue/g_imp_sec_context.c lib/gssapi/mechglue/g_init_sec_context.c lib/gssapi/mechglue/g_initialize.c lib/gssapi/mechglue/g_inquire_context.c lib/gssapi/mechglue/g_inquire_cred.c lib/gssapi/mechglue/g_inquire_names.c lib/gssapi/mechglue/g_process_context.c lib/gssapi/mechglue/g_rel_buffer.c lib/gssapi/mechglue/g_rel_cred.c lib/gssapi/mechglue/g_rel_name.c lib/gssapi/mechglue/g_rel_oid_set.c lib/gssapi/mechglue/g_seal.c lib/gssapi/mechglue/g_sign.c lib/gssapi/mechglue/g_store_cred.c lib/gssapi/mechglue/g_unseal.c lib/gssapi/mechglue/g_userok.c lib/gssapi/mechglue/g_utils.c lib/gssapi/mechglue/g_verify.c lib/gssapi/mechglue/gssd_pname_to_uid.c lib/gssapi/mechglue/mglueP.h lib/gssapi/mechglue/oid_ops.c lib/gssapi/spnego/gssapiP_spnego.h lib/gssapi/spnego/spnego_mech.c are subject to the following license: Copyright (c) 2004 Sun Microsystems, Inc. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -------------------- MIT Kerberos includes documentation and software developed at the University of California at Berkeley, which includes this copyright notice: Copyright (C) 1983 Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------- Portions contributed by Novell, Inc., including the LDAP database backend, are subject to the following license: Copyright (c) 2004-2005, Novell, Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * The copyright holder's name is not used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Acknowledgments --------------- Thanks to Red Hat for donating the pre-authentication plug-in framework. Thanks to Novell for donating the KDB abstraction layer and the LDAP database plug-in. Thanks to Sun Microsystems for donating their implementations of mechglue and SPNEGO. Thanks to iDefense for notifying us about the vulnerability in MITKRB5-SA-2007-002. Thanks to the members of the Kerberos V5 development team at MIT, both past and present: Danilo Almeida, Jeffrey Altman, Justin Anderson, Richard Basch, Jay Berkenbilt, Mitch Berger, Andrew Boardman, Joe Calzaretta, John Carr, Don Davis, Alexandra Ellwood, Nancy Gilman, Matt Hancher, Sam Hartman, Paul Hill, Marc Horowitz, Eva Jacobus, Miroslav Jurisic, Barry Jaspan, Geoffrey King, Kevin Koch, John Kohl, Peter Litwack, Scott McGuire, Kevin Mitchell, Cliff Neuman, Paul Park, Ezra Peisach, Chris Provenzano, Ken Raeburn, Jon Rochlis, Jeff Schiller, Jen Selby, Brad Thompson, Harry Tsai, Ted Ts'o, Marshall Vale, Tom Yu.