Kerberos Version 5, Release 1.12 Release Notes The MIT Kerberos Team Copyright and Other Notices --------------------------- Copyright (C) 1985-2013 by the Massachusetts Institute of Technology and its contributors. All rights reserved. Please see the file named NOTICE for additional notices. Documentation ------------- Unified documentation for Kerberos V5 is available in both HTML and PDF formats. The table of contents of the HTML format documentation is at doc/html/index.html, and the PDF format documentation is in the doc/pdf directory. Additionally, you may find copies of the HTML format documentation online at http://web.mit.edu/kerberos/krb5-latest/doc/ for the most recent supported release, or at http://web.mit.edu/kerberos/krb5-devel/doc/ for the release under development. More information about Kerberos may be found at http://web.mit.edu/kerberos/ and at the MIT Kerberos Consortium web site http://kerberos.org/ Building and Installing Kerberos 5 ---------------------------------- Build documentation is in doc/html/build/index.html or doc/pdf/build.pdf. The installation guide is in doc/html/admin/install.html or doc/pdf/install.pdf. If you are attempting to build under Windows, please see the src/windows/README file. Reporting Bugs -------------- Please report any problems/bugs/comments using the krb5-send-pr program. The krb5-send-pr program will be installed in the sbin directory once you have successfully compiled and installed Kerberos V5 (or if you have installed one of our binary distributions). If you are not able to use krb5-send-pr because you haven't been able compile and install Kerberos V5 on any platform, you may send mail to krb5-bugs@mit.edu. You may view bug reports by visiting http://krbdev.mit.edu/rt/ and logging in as "guest" with password "guest". DES transition -------------- The Data Encryption Standard (DES) is widely recognized as weak. The krb5-1.7 release contains measures to encourage sites to migrate away from using single-DES cryptosystems. Among these is a configuration variable that enables "weak" enctypes, which defaults to "false" beginning with krb5-1.8. Major changes in 1.12 (2013-12-10) ---------------------------------- Developer experience: * Add a plugin interface to control krb5_aname_to_localname and krb5_kuserok behavior. * Add a plugin interface to control hostname-to-realm mappings and the default realm. * Add GSSAPI extensions for constructing MIC tokens using IOV lists. Administrator experience: * Principal entries may now refer to the names of policies which do not exist as policy objects in the database. Policy objects may now be deleted whether or not principals reference their names. A principal which references a nonexistent policy name will behave as if it does not reference a policy. * Add support for having no long-term keys for a principal. This can be useful if the principal is only intended to be used with PKINIT or OTP preauthentication. * Add collection support to the KEYRING credential cache type on Linux, and add support for persistent user keyrings and larger credentials on systems which support them. * Add a FAST OTP preauthentication module for the KDC which uses RADIUS to validate OTP token values. * Add an experimental pluggable interface for auditing KDC processing. This interface may change in a backwards-incompatible way in a future release. Performance: * The AES-based encryption types will use AES-NI instructions when possible for improved performance. krb5-1.12 changes by ticket ID ------------------------------ 1445 GSSAPI can fail to generate error in GSS_C_NO_CREDENTIAL case 1539 tests should test getting renewable tickets 2602 Don't reject renewable of non-renewable tickets 3206 gss_acquire_cred with GSS_C_BOTH or GSS_C_INITIATE should work with keytab creds 6429 KDC prefers built-in preauth to plugins 6507 kdb5_util update_princ_encryption uses latest mkey instead of active mkey 6948 Funny klist output if you try to get credentials right when a ticket expires 7172 Credential collection doesn't include DIR subsidiary default cache 7296 issues in handling special characters in KDC ldap plugin code 7385 Policy deletion should not rely on refcounts 7465 minimum iteration count for PBKDF2 7511 Fix minor int overflow and null pointer problems 7517 Pass through module errors when preauthenticating 7518 Delete timestamp_to_sfstring sprintf fallback 7520 Make kproplog consistently treat ulog as a circular buffer 7522 Propagate policy changes over iprop via full dump 7524 Fix gss_str_to_oid and gss_oid_to_str edge cases 7529 Install pkg-config data files 7535 Stop loading policy for pw_expiration in LDAP 7550 Fix iprop log reinitialization 7551 Add LDAP debug DB option 7552 Remove ulog_check(); the ulog is not a DB journal 7555 Don't squash name type for cross TGT requests 7556 Fix COPY_FIRST_CANONNAME hostent search 7564 Remove -b6 and -old dump formats 7565 Desupport krb5_auth_con_setivector 7583 Add localauth pluggable interface 7584 krb5_free_ktypes() needs a prototype in krb5.h 7585 t_oid.o not deleted when make clean run 7589 Add support for k5srvutil -e keysalts 7590 PKINIT needs to use the prompter callback for PEM files 7598 Add support for client keytab from cred store 7599 Add krb5_kt_dup API and use it in two places 7603 Allow numeric addresses as service hostnames 7604 Dynamically expand timeout when TCP connects 7608 improve kadmin manpage "-e" description 7620 libgssrpc is missing from krb5-config and pkg-config 7625 Don't use "bool" for ASN.1 boolean macros 7628 Fix link line for t_fortuna when built with openssl 7629 src/util/support/plugins.c dependencies 7630 Make AS requests work with no client keys 7631 No-effect statement in builtin crypto 7632 LDAP password file errors not helpful enough 7634 Fix crypto openssl hmac warning 7635 Add test case for CVE-2013-1416 7636 kinit checks for "KDB" keytab prefix, not "KDB:" 7642 Can't get initial creds with empty password via API 7643 Fix rc4 string-to-key on unterminated inputs 7645 Add AES-NI support on x86/x64 platforms 7648 Change message macro for configure selection 7651 Link dbtest with libkrb5support 7652 Fix warnings in dbtest.c 7656 Fix spurious clock skew caused by preauth delay 7657 Use KDC clock skew for AS-REQ timestamps 7661 Refactor KDC renewable ticket handling 7662 Assertion `password->length >0' failed 7663 FAST options bit ordering is backwards 7665 Provide plugin module ordering guarantees 7673 Use better URL for kerberos documentation (in KfW) 7678 Add libkrad 7679 Add kadmin support for principals without keys 7680 Add PKINIT responder support 7681 Allow self-service for kadmin purgekeys RPC 7682 Mechglue dynamic initialization functions miss some functions 7683 Update config.guess and config.sub 7684 Don't reopen the KDB in update_princ_encryption 7685 kadmind caches master key activation times 7686 Master key rollover mishandles databases created prior to 1.7 7687 Add hostrealm pluggable interface definition 7688 Fix gss_krb5_set_allowable_enctypes for acceptor 7689 kinit can create duplicate ccache in collection with default principal 7690 Remove redundant domain_realm mappings 7691 Remove KRB5_DNS_LOOKUP_KDC 7692 Save the full residual for keyring caches 7693 Add a note about how to apply/remove policies 7695 krb5-1.11.3/1.10.6 - full resync may fail and still result in ulog being updated 7697 Omit signedpath if no_auth_data_required is set 7698 Service principal aliases broken in 1.11 KDC 7699 Make it possible to renew aliased service tickets 7700 Support FAST hide-client-names option 7701 Fix FAST critical option bit checking 7703 Add a flag to prevent all host canonicalization 7705 Add GSSAPI IOV MIC functions 7706 Export/Import creds breaks with delegated credentials 7709 Wrong order in kdc_check_transited_list() 7711 Add collection support for KEYRING ccache type 7712 KDC Audit infrastructure and plugin implementation 7713 Fix audit test module initialization 7715 Change KRB5KDC_ERR_NO_ACCEPTABLE_KDF to 100 7718 Use protocol error for PKINIT cert expiry 7719 Discuss cert expiry, no-key princs in PKINIT docs 7722 Add missing entries to tests/gssapi Makefile.in 7730 Fix typos in kdb5_util master key command outputs 7732 Document master key rollover 7733 afs3 salt contaminates later enctypes in the list at key generation time 7738 Fix decoding of mkey kvno in mkey_aux tl-data 7739 Improve LDAP KDB initialization error messages 7740 Accept anonymous GSS names in kadmind 7741 Use correct default principal for kadmin -n 7751 Clarify kpropd standalone mode documentation 7755 Multi-realm KDC null deref [CVE-2013-1418] 7759 Clarify realm and dbmodules configuration docs 7764 Catch more strtol() failures when using KEYRINGs 7768 Add support to store time offsets in cc_keyring 7769 Set expiration time on keys and keyrings 7770 kadmind does not log IPv6 requests properly 7771 Remove dangling --with-kdc-kdb-update references 7773 Clarify lockout replication issues in docs 7774 Correct kadm5.acl back-reference documentation 7775 Improve default ccache name API documentation 7776 Added a new ccache doc to "Kerberos V5 concepts" 7777 krb5-admin doc update: `kdb5_util dump` default format is now "krb5_util load_dump version 7" 7785 Fix error message quotations in install_kdc.rst Acknowledgements ---------------- Past and present Sponsors of the MIT Kerberos Consortium: Apple Carnegie Mellon University Centrify Corporation Columbia University Cornell University The Department of Defense of the United States of America (DoD) Fidelity Investments Google Iowa State University MIT Michigan State University Microsoft The National Aeronautics and Space Administration of the United States of America (NASA) Network Appliance (NetApp) Nippon Telephone and Telegraph (NTT) Oracle Pennsylvania State University Red Hat Stanford University TeamF1, Inc. The University of Alaska The University of Michigan The University of Pennsylvania Past and present members of the Kerberos Team at MIT: Danilo Almeida Jeffrey Altman Justin Anderson Richard Basch Mitch Berger Jay Berkenbilt Andrew Boardman Bill Bryant Steve Buckley Joe Calzaretta John Carr Mark Colan Don Davis Alexandra Ellwood Carlos Garay Dan Geer Nancy Gilman Matt Hancher Thomas Hardjono Sam Hartman Paul Hill Marc Horowitz Eva Jacobus Miroslav Jurisic Barry Jaspan Benjamin Kaduk Geoffrey King Kevin Koch John Kohl HaoQi Li Jonathan Lin Peter Litwack Scott McGuire Steve Miller Kevin Mitchell Cliff Neuman Paul Park Ezra Peisach Chris Provenzano Ken Raeburn Jon Rochlis Jeff Schiller Jen Selby Robert Silk Bill Sommerfeld Jennifer Steiner Ralph Swick Brad Thompson Harry Tsai Zhanna Tsitkova Ted Ts'o Marshall Vale Tom Yu The following external contributors have provided code, patches, bug reports, suggestions, and valuable resources: Ian Abbott Brandon Allbery Russell Allbery Brian Almeida Michael B Allen Heinz-Ado Arnolds Derek Atkins Mark Bannister David Bantz Alex Baule David Benjamin Adam Bernstein Arlene Berry Jeff Blaine Radoslav Bodo Sumit Bose Emmanuel Bouillon Michael Calmer Julien Chaffraix Ravi Channavajhala Srinivas Cheruku Leonardo Chiquitto Howard Chu Andrea Cirulli Christopher D. Clausen Kevin Coffman Simon Cooper Sylvain Cortes Jeff D'Angelo Nalin Dahyabhai Mark Davies Dennis Davis Alex Dehnert Mark Deneen Günther Deschner Roland Dowdeswell Viktor Dukhovni Jason Edgecombe Mark Eichin Shawn M. Emery Douglas E. Engert Peter Eriksson Juha Erkkilä Gilles Espinasse Ronni Feldt Bill Fellows JC Ferguson William Fiveash Ákos Frohner Sebastian Galiano Marcus Granado Scott Grizzard Helmut Grohne Steve Grubb Philip Guenther Dominic Hargreaves Robbie Harwood Jakob Haufe Matthieu Hautreux Paul B. Henson Jeff Hodges Christopher Hogan Love Hörnquist Åstrand Ken Hornstein Henry B. Hotz Luke Howard Jakub Hrozek Shumon Huque Jeffrey Hutzelman Wyllys Ingersoll Holger Isenberg Pavel Jindra Joel Johnson W. Trevor King Mikkel Kruse Reinhard Kugler Volker Lendecke Jan iankko Lieskovsky Oliver Loch Kevin Longfellow Nuno Lopes Ryan Lynch Nathaniel McCallum Greg McClement Cameron Meadors Alexey Melnikov Franklyn Mendez Markus Moeller Kyle Moffett Paul Moore Keiichi Mori Michael Morony Zbysek Mraz Edward Murrell Nikos Nikoleris Felipe Ortega Andrej Ota Dmitri Pal Javier Palacios Tom Parker Ezra Peisach W. Michael Petullo Mark Phalan Jonathan Reams Robert Relyea Martin Rex Jason Rogers Mike Roszkowski Guillaume Rousse Tom Shaw Jim Shi Peter Shoults Simo Sorce Michael Spang Michael Ströder Bjørn Tore Sund Joe Travaglini Rathor Vipin Jorgen Wahlsten Stef Walter Max (Weijun) Wang John Washington Stef Walter Xi Wang Kevin Wasserman Margaret Wasserman Marcus Watts Andreas Wiese Simon Wilkinson Nicolas Williams Ross Wilper Augustin Wolf Xu Qiang Nickolai Zeldovich Hanz van Zijst Gertjan Zwartjes The above is not an exhaustive list; many others have contributed in various ways to the MIT Kerberos development effort over the years. Other acknowledgments (for bug reports and patches) are in the doc/CHANGES file.