Kerberos Version 5, Release 1.11 Release Notes The MIT Kerberos Team Copyright and Other Notices --------------------------- Copyright (C) 1985-2013 by the Massachusetts Institute of Technology and its contributors. All rights reserved. Please see the file named NOTICE for additional notices. Documentation ------------- Unified documentation for Kerberos V5 is available in both HTML and PDF formats. The table of contents of the HTML format documentation is at doc/html/index.html, and the PDF format documentation is in the doc/pdf directory. Additionally, you may find copies of the HTML format documentation online at http://web.mit.edu/kerberos/krb5-latest/doc/ for the most recent supported release, or at http://web.mit.edu/kerberos/krb5-devel/doc/ for the release under development. More information about Kerberos may be found at http://web.mit.edu/kerberos/ and at the MIT Kerberos Consortium web site http://kerberos.org/ Building and Installing Kerberos 5 ---------------------------------- Build documentation is in doc/html/build/index.html or doc/pdf/build.pdf. The installation guide is in doc/html/admin/install.html or doc/pdf/install.pdf. If you are attempting to build under Windows, please see the src/windows/README file. Reporting Bugs -------------- Please report any problems/bugs/comments using the krb5-send-pr program. The krb5-send-pr program will be installed in the sbin directory once you have successfully compiled and installed Kerberos V5 (or if you have installed one of our binary distributions). If you are not able to use krb5-send-pr because you haven't been able compile and install Kerberos V5 on any platform, you may send mail to krb5-bugs@mit.edu. You may view bug reports by visiting http://krbdev.mit.edu/rt/ and logging in as "guest" with password "guest". DES transition -------------- The Data Encryption Standard (DES) is widely recognized as weak. The krb5-1.7 release contains measures to encourage sites to migrate away from using single-DES cryptosystems. Among these is a configuration variable that enables "weak" enctypes, which defaults to "false" beginning with krb5-1.8. Major changes in 1.11.4 (2013-11-04) ------------------------------------ * Fix a KDC null pointer dereference [CVE-2013-1417] that could affect realms with an uncommon configuration. * Fix a KDC null pointer dereference [CVE-2013-1418] that could affect KDCs that serve multiple realms. * Fix a number of bugs related to KDC master key rollover. krb5-1.11.4 changes by ticket ID -------------------------------- 7508 Indefinite FD polling 7650 Issue following client referral from AD 7664 Build with Visual Studio 2012 7668 KDC null deref due to referrals [CVE-2013-1417] 7670 Add test case for CVE-2013-1417 7671 Install ccselect_plugin.h 7702 krb5-1.11.3 FTBFS on NetBSD 7723 Fix GSSAPI krb5 cred ccache import 7724 Change KRB5KDC_ERR_NO_ACCEPTABLE_KDF to 100 7726 Use protocol error for PKINIT cert expiry 7727 Discuss cert expiry, no-key princs in PKINIT docs 7734 Fix typos in kdb5_util master key command outputs 7735 Use active master key in update_princ_encryption 7737 Correctly activate master keys in pre-1.7 KDBs 7742 Reset key-generation parameters for each enctype 7746 Fix decoding of mkey kvno in mkey_aux tl-data 7747 Improve LDAP KDB initialization error messages 7748 Document master key rollover 7752 Clarify kpropd standalone mode documentation 7756 Multi-realm KDC null deref [CVE-2013-1418] 7758 Fix reference for trace logging Major changes in 1.11.3 (2013-06-03) ------------------------------------ * Fix a UDP ping-pong vulnerability in the kpasswd (password changing) service. [CVE-2002-2443] * Improve interoperability with some Windows native PKINIT clients. krb5-1.11.3 changes by ticket ID -------------------------------- 7596 PKINIT should allow missing DH param Q 7602 allow dh_min_bits >= 1024 7605 Set msg_type when decoding FAST requests 7626 Rename internal Camellia symbols 7637 Fix kpasswd UDP ping-pong [CVE-2002-2443] 7639 Transited realm checks sometimes fail for GSSAPI 7640 Clarify that kdc.conf and krb5.conf are merged 7641 Clarify krb5_rd_req documentation 7644 Sphinx doc build leaves python bytecode (.pyc) in release tarball 7653 Document preauth flags for service principals 7654 Clarify retiring-des based on user feedback 7655 Clean up dangling antecedent in allow_weak_crypto Major changes in 1.11.2 (2013-04-12) ------------------------------------ This is a bugfix release. * Incremental propagation could erroneously act as if a slave's database were current after the slave received a full dump that failed to load. * gss_import_sec_context incorrectly set internal state that identifies whether an imported context is from an interposer mechanism or from the underlying mechanism. krb5-1.11.2 changes by ticket ID -------------------------------- 7530 iprop treats slave as current if full dump fails to load 7586 memory leak in lookup_etypes_for_keytab() 7587 Fix dependencies in tests/gssapi 7591 Fix condition with empty body 7592 gss_import_sec_context broken with interposer plugins 7594 Export verto_set_flags from libverto 7601 RST docs missing krb5-config man page Major changes in 1.11.1 (2013-02-21) ------------------------------------ This is a bugfix release. * Restore capability for multi-hop SAM-2 preauth exchanges, which krb5-1.11 had inadvertently removed. * Fix a null pointer dereference in the KDC PKINIT code [CVE-2013-1415]. krb5-1.11.1 changes by ticket ID -------------------------------- 7458 add more strftime format strings for klist 7523 Fix gss_str_to_oid for OIDs with zero-valued arcs 7525 Fix DPRINT in ipropd_svc.c 7534 Minor pointer management patches 7539 Fix no_host_referral concatention in KDC 7548 Fix iprop safety net in kdb5_util load 7553 sendto_kdc can invoke poll with negative timeout 7557 Fix h1 end tag in Sphinx header titles 7558 Fix typos in layout.html 7559 Fix "search" accesskey in layout.html 7560 Fix kdb5_util dump.c uninitialized warnings 7561 kprop doesn't work with RC4 session key 7567 Fix RFC 5587 const pointer typedefs 7569 Convert success in krb5_chpw_result_code_string 7570 PKINIT null pointer deref [CVE-2013-1415] 7571 Allow multi-hop SAM-2 exchanges 7573 File descriptor leak in DIR ccaches 7574 Fix memory leak closing DIR ccaches Major changes in 1.11 (2012-12-17) ---------------------------------- Additional background information on these changes may be found at http://k5wiki.kerberos.org/wiki/Release_1.11 and http://k5wiki.kerberos.org/wiki/Category:Release_1.11_projects Code quality: * Improve ASN.1 support code, making it table-driven for decoding as well as encoding * Refactor parts of KDC Developer experience: * Documentation consolidation * Add a new API krb5_kt_have_content() to determine whether a keytab exists and contains any entries. * Add a new API krb5_cccol_have_content() to determine whether the ccache collection contains any credentials. * Add a new API krb5_kt_client_default() to resolve the default client keytab. * Add new APIs gss_export_cred and gss_import_cred to serialize and unserialize GSSAPI credentials. * Add a krb5_get_init_creds_opt_set_in_ccache() option. * Add get_cc_config() and set_cc_config() clpreauth callbacks for getting string attribute values from an in_ccache and storing them in an out_ccache, respectively. * Add a plugin interface for GSSAPI interposer mechanisms. * Add an optional responder callback to the krb5_get_init_creds functions. The responder callback can consider and answer all preauth-related questions at once, and can process more complicated questions than the prompter. * Add a method to the clpreauth interface to allow modules to supply response items for consideration by the responder callback. * Projects/Password_response_item * Add GSSAPI extensions to allow callers to specify credential store locations when acquiring or storing credentials * Add a new API krb5_kt_client_default() to resolve the default client keytab. Administrator experience: * Documentation consolidation * Add parameter expansion for default_keytab_name and default_client_keytab_name profile variables. * Add new default_ccache_name profile variable to override the built-in default credential cache name. * Add configure-time support for changing the built-in ccache and keytab names. * Add krb5-config options for displaying the built-in ccache and keytab names. * In the default build, use the system's built-in ccache and keytab names if they can be discovered using krb5-config. * Add support for a "default client keytab". Its location is determined by the KRB5_CLIENT_KTNAME environment variable, the default_client_keytab profile relation, or a hardcoded path (TBD). * GSSAPI initiator applications can now acquire credentials automatically from the default client keytab, if one is available. * Add client support for FAST OTP (RFC 6560) End-user experience: * Documentation consolidation * Store metadata in the ccache about how a credential was acquired, to improve the user's experience when reacquiring * Projects/Extensible_Policy Performance: * Improve KDC lookaside cache performance Protocol evolution: * Add client support for FAST OTP (RFC 6560) * Build Camellia encryption support by default krb5-1.11 changes by ticket ID ------------------------------ 2131 krb5_get_init_creds_keytab() doesn't restrict requested enctypes to those in keytab entry 2545 AFS string_to_key broken for passwords > 8 chars 5126 krb5_verify_init_creds behaves badly with a ticket cache 6973 error reporting made worse in gss_acquire_creds 7025 FAST: error handling and const keyblock 7026 FAST TGS 7046 Allow S4U2Proxy delegated credentials to be saved 7047 Allow S4U2Proxy service tickets to be cached 7048 Allow null server key to krb5_pac_verify 7054 Test suite requires python 2.6 or better... 7061 Fix PKINIT serverDHNonce encoding 7063 Prompter delay can cause spurious clock skew 7064 install sphinx-generated manpages 7072 PKINIT pk_as_rep_draft9 encoding issues 7073 kadmin.local.8 belongs in ADMIN_mandir 7080 failures to compile src/lib/krb5/krb/x-deltat.y with GCC 4.7 7085 Better short/long descs in gss_display_mech_attr 7086 potential memory leak in krb5int_get_fq_hostname 7091 Report profile errors when initializing krb5 context 7094 Fail during configure if unable to find ar 7097 improve kadm5 acl testing coverage 7100 trunk a86e885 does not deal with default salt 7105 side effects in assertions 7106 documentation nit in tkt_mgmt.rst 7107 Suppress some gcc uninitialized variable warnings 7109 Key rollover for MIT/AD cross TGT principals fails due to kvno 0 7110 Fix password reuse check with cpw -keepold 7111 Incorrect ASN.1 tag for EncASRepPart in svn trunk 7112 KRB5_TRACE is broken in trunk 7113 add tests for trace logging 7114 Support using kdc time during encrypted timestamp preauth 7121 password argument to krb5_get_init_creds_password not const 7125 krb5_verify_init_creds should try all host principals in keytab by default 7126 Documentation__Building Kerberos V5 7128 Add API to interpret changepw result strings 7129 Add krb5_parse_name flag to ignore realm 7130 kinit to AD server should be more tolerant of clock skew 7131 [PATCH 1/1] sn2princ.c: add terminal newline to "failed to canonicalize" debug message. 7133 [PATCH 1/1] trace.c: rename k5trace to krb5int_trace in comments. 7134 Fix "(null" typo in "{key}" handler in trace.c 7137 Fix "(empty" typo in "{etypes}" handler in trace.c 7138 [PATCH] Add missing $(LIBS) to Makefile.in in several directories. 7139 Remove mention of util/autoconf 7147 Make doc/coding-style point to wiki page 7151 Convert DEBUG_REFERRALS to TRACE_* framework 7158 Add krb5_kt_have_content API 7159 Fail from gss_acquire_cred if we have no keytab 7160 gss_acquire_cred for krb5 initiator creds should fail if no tickets exist 7161 Minor memory leak in default_an_to_ln on error 7162 krb5_verify_init_creds frees its input argument 7166 Remove big-endian gss-krb5 support 7173 Add krb5_cccol_have_content API 7179 krb5_cc_get_full_name() does not document how to free fullname_out 7183 PKINIT should handle CMS SignedData without certificates 7187 ReST html docs render '--' as – (en dash) 7188 Add krb5_kt_client_default API 7189 Add client keytab initiation support 7190 Try harder to make keytab-based AS requests work 7192 klist does not use localized time formatting 7196 Automatically create DIR ccache directories 7205 Rename 'free' -> 'free_func' in asn1_encode.c/.h 7211 define USE_HEAPALLOC in gssapi_alloc.h 7216 Add kinit/klist -i options to use client keytab 7217 Introduce credential store extensions 7218 Do something reasonable if "kinit -t" without "-k" 7219 Add token expansion for keytab names 7220 Add default_ccache_name profile variable 7221 Support changing the built-in ccache/keytab names 7223 Policy extensions + new policy: allowed ks types 7224 Fix edge-case bugs in kdb5_util load 7229 Turn off replay cache in krb5_verify_init_creds() 7242 Add otp client preauth plugin 7346 Support kdc_timesync offsets in memory ccache 7347 Add support for GSS_C_NT_COMPOSITE_EXPORT 7351 Avoid libdl dependencies in bundled libverto 7354 Introduce gss_export_cred and gss_import_cred 7355 Add responder feature for initial cred exchanges 7356 GSSAPI constrained delegation fails with default initiator cred 7358 Map CANTLOCK_DB to SVC_UNAVAILABLE in krb5kdc 7359 Use blocking locks in krb5kdc and libkadm5srv 7360 Fix lock inconsistency in ctx_unlock() 7364 Update FILES and WINFILES for kerbsrc.zip 7366 Keep verifier cred locked in accept_sec_context 7367 Remove kerbsrc.win 7368 MAX_ULOGENTRIES is too low 7369 iprop can block for extended periods due to UPDATE_BUSY 7370 kdb5_util load needs an iprop safety net 7371 kadmind per-slave ipropd dumps are wasteful 7372 kadmind hardcodes paths to kdb5_util, kprop, and dump file 7373 kpropd handling of full resyncs is racy 7374 iprop full resyncs need testing 7375 feature request: kproplog -R to reset ulog, force full resync 7376 kpropd -S option is superfluous 7377 kdb5_util dump is racy 7378 k5test.py needs a start_kpropd() method 7379 kpropd docs are out of date regarding iprop 7384 kdb5_util dump race can leave policy refcounts incorrect 7399 Race in kdb5_util load completion 7400 GENC should always export composite names 7403 krb5_db_delete_principal() can fail to unlock ulog 7407 Import remaining content from texinfo to reST 7408 Remove obsolete texinfo documentation 7409 rework documentation tree layout 7413 Add an input ccache get_init_creds option 7414 Add "pa_type" configuration to ccaches 7415 Fix sam2 client preauth after salt changes 7416 Use config storage for client OTP token selection 7417 Don't expose binary format in preauth otp 7418 Add dependencies for some test programs 7419 Alter responder function signature for consistency 7421 Documentation__krb5_rd_req - Parse and decrypt a KRB_AP_REQ message. 7422 Only record real selected preauth type 7423 Document prompter and responder callbacks 7424 Add missing macro and type index.rst entries 7425 Fix verto_ctx declaration in preauth_plugin.h 7426 Add loop() kdcpreauth method 7427 Don't save empty cc_config_out in ccache 7428 Don't leak new fields of krb5_init_creds_context 7429 Document GSSAPI loadable module interface 7431 Improve documentation for krb5_unparse_name_ext() 7433 Documentation build system improvements 7435 Always rebuild rst_composite in src/doc 7436 Document PKINIT and anonymos PKINIT configuration 7437 Update Camellia feature description 7439 Add Camellia to enctype table in documentation 7444 De-conditionalize Camellia code 7445 Make kdb5_util dump work with LDAP again 7446 Add Camellia enctypes to default enctype lists 7447 Fix warnings in doc build 7448 Avoid using grep -q in configure.in 7451 Add "Kerberos" to PDF titles 7452 Reword krb5_unparse_name_ext doxygen markup 7453 Update mkrel for new doc build process 7455 Documentation: table formating and ref correction in MIT features 7456 Documentation: Update 1.11 feature list 7457 camellia needs key_cleanup() routine 7459 Remove broken clean_hostname trace messages 7460 Add first-introduced version for krb5_get_init_creds_opt_set_in_ccache() in doxygen markup 7461 Remove .doctrees when cleaning src/doc 7462 Move Release tag to the footer in Sphinx html documentation 7464 Remove "Test coverage" topic from Sphinx documentation 7466 Do not generate unused parts of toctree 7467 Do not include hidden files in the sidebar 7468 Make sphinx warnings fatal for doc build 7469 Reformat RST to avoid sphinx warnings 7470 Note notice.txt's dependency on version.py 7471 Fix typo 7472 Document parameter expansion for keytab and ccache configuration options 7474 Update comments about conflicting KRB5_KEYUSAGE_PA types 7477 Document account lockout configuration 7479 Build fixes for windows 7480 Cross-reference account lockout documentation 7482 Make resources.rst more useful to non-devs 7483 KDC can return host referral to its own realm 7488 Various nits in krb5-1.10.3 7489 Do not document unused symbols 7490 Update comments for RFC 3244 kpasswd extensions 7491 Make building docs easier in an unconfigured tree 7492 Doc build in unconfigured tree broken on some platforms 7494 Regenerate checked-in man pages 7495 Make the doc build quieter 7496 Document API for getting anonymous tickets 7497 Update mkrel for SPHINX_ARGS 7498 Document principal name interactions with DNS 7499 Use an empty challenge for the password question 7500 Add examples to init_creds.rst 7501 Update retiring-des with real-world experience 7503 Fix documentation browser resizing behavior 7504 Conditionally include MITKC logo in HTML doc 7505 Better names for doxygen-Sphinx bridge functions 7506 PKINIT (draft9) null ptr deref [CVE-2012-1016] 7507 Document enctypes 7509 Update README for Sphinx documentation 7510 Add copyright footer to HTML docs 7512 Add web pages to resources.rst 7513 Clarify enctype settings in krb5_conf.rst 7515 Add release string to index.rst page heading Acknowledgements ---------------- Past and present Sponsors of the MIT Kerberos Consortium: Apple Carnegie Mellon University Centrify Corporation Columbia University Cornell University The Department of Defense of the United States of America (DoD) Fidelity Investments Google Iowa State University MIT Michigan State University Microsoft The National Aeronautics and Space Administration of the United States of America (NASA) Network Appliance (NetApp) Nippon Telephone and Telegraph (NTT) Oracle Pennsylvania State University Red Hat Stanford University TeamF1, Inc. The University of Alaska The University of Michigan The University of Pennsylvania Past and present members of the Kerberos Team at MIT: Danilo Almeida Jeffrey Altman Justin Anderson Richard Basch Mitch Berger Jay Berkenbilt Andrew Boardman Bill Bryant Steve Buckley Joe Calzaretta John Carr Mark Colan Don Davis Alexandra Ellwood Carlos Garay Dan Geer Nancy Gilman Matt Hancher Thomas Hardjono Sam Hartman Paul Hill Marc Horowitz Eva Jacobus Miroslav Jurisic Barry Jaspan Benjamin Kaduk Geoffrey King Kevin Koch John Kohl HaoQi Li Jonathan Lin Peter Litwack Scott McGuire Steve Miller Kevin Mitchell Cliff Neuman Paul Park Ezra Peisach Chris Provenzano Ken Raeburn Jon Rochlis Jeff Schiller Jen Selby Robert Silk Bill Sommerfeld Jennifer Steiner Ralph Swick Brad Thompson Harry Tsai Zhanna Tsitkova Ted Ts'o Marshall Vale Tom Yu The following external contributors have provided code, patches, bug reports, suggestions, and valuable resources: Ian Abbott Brandon Allbery Russell Allbery Brian Almeida Michael B Allen Heinz-Ado Arnolds Derek Atkins Mark Bannister David Bantz Alex Baule David Benjamin Adam Bernstein Arlene Berry Jeff Blaine Radoslav Bodo Sumit Bose Emmanuel Bouillon Michael Calmer Julien Chaffraix Ravi Channavajhala Srinivas Cheruku Leonardo Chiquitto Howard Chu Andrea Cirulli Christopher D. Clausen Kevin Coffman Simon Cooper Sylvain Cortes Nalin Dahyabhai Mark Davies Dennis Davis Alex Dehnert Mark Deneen Günther Deschner Roland Dowdeswell Viktor Dukhovni Jason Edgecombe Mark Eichin Shawn M. Emery Douglas E. Engert Peter Eriksson Juha Erkkilä Gilles Espinasse Ronni Feldt Bill Fellows JC Ferguson William Fiveash Ákos Frohner Sebastian Galiano Marcus Granado Scott Grizzard Helmut Grohne Steve Grubb Philip Guenther Dominic Hargreaves Robbie Harwood Jakob Haufe Matthieu Hautreux Paul B. Henson Jeff Hodges Christopher Hogan Love Hörnquist Åstrand Ken Hornstein Henry B. Hotz Luke Howard Jakub Hrozek Shumon Huque Jeffrey Hutzelman Wyllys Ingersoll Holger Isenberg Pavel Jindra Joel Johnson W. Trevor King Mikkel Kruse Reinhard Kugler Volker Lendecke Jan iankko Lieskovsky Oliver Loch Kevin Longfellow Nuno Lopes Ryan Lynch Nathaniel McCallum Greg McClement Cameron Meadors Alexey Melnikov Franklyn Mendez Markus Moeller Kyle Moffett Paul Moore Keiichi Mori Michael Morony Zbysek Mraz Edward Murrell Nikos Nikoleris Felipe Ortega Andrej Ota Dmitri Pal Javier Palacios Tom Parker Ezra Peisach W. Michael Petullo Mark Phalan Jonathan Reams Robert Relyea Martin Rex Jason Rogers Mike Roszkowski Guillaume Rousse Tom Shaw Jim Shi Peter Shoults Simo Sorce Michael Spang Michael Ströder Bjørn Tore Sund Joe Travaglini Rathor Vipin Jorgen Wahlsten Stef Walter Max (Weijun) Wang John Washington Stef Walter Xi Wang Kevin Wasserman Margaret Wasserman Marcus Watts Andreas Wiese Simon Wilkinson Nicolas Williams Ross Wilper Augustin Wolf Xu Qiang Nickolai Zeldovich Hanz van Zijst Gertjan Zwartjes The above is not an exhaustive list; many others have contributed in various ways to the MIT Kerberos development effort over the years. Other acknowledgments (for bug reports and patches) are in the doc/CHANGES file.