Kerberos Version 5, Release 1.16 Release Notes The MIT Kerberos Team Copyright and Other Notices --------------------------- Copyright (C) 1985-2019 by the Massachusetts Institute of Technology and its contributors. All rights reserved. Please see the file named NOTICE for additional notices. Documentation ------------- Unified documentation for Kerberos V5 is available in both HTML and PDF formats. The table of contents of the HTML format documentation is at doc/html/index.html, and the PDF format documentation is in the doc/pdf directory. Additionally, you may find copies of the HTML format documentation online at http://web.mit.edu/kerberos/krb5-latest/doc/ for the most recent supported release, or at http://web.mit.edu/kerberos/krb5-devel/doc/ for the release under development. More information about Kerberos may be found at http://web.mit.edu/kerberos/ and at the MIT Kerberos Consortium web site http://kerberos.org/ Building and Installing Kerberos 5 ---------------------------------- Build documentation is in doc/html/build/index.html or doc/pdf/build.pdf. The installation guide is in doc/html/admin/install.html or doc/pdf/install.pdf. If you are attempting to build under Windows, please see the src/windows/README file. Reporting Bugs -------------- Please report any problems/bugs/comments by sending email to krb5-bugs@mit.edu. You may view bug reports by visiting http://krbdev.mit.edu/rt/ and using the "Guest Login" button. Please note that the web interface to our bug database is read-only for guests, and the primary way to interact with our bug database is via email. DES transition -------------- The Data Encryption Standard (DES) is widely recognized as weak. The krb5-1.7 release contains measures to encourage sites to migrate away from using single-DES cryptosystems. Among these is a configuration variable that enables "weak" enctypes, which defaults to "false" beginning with krb5-1.8. Major changes in 1.16.4 (2019-12-11) ------------------------------------ This is a bug fix release. * Fix a bug preventing "addprinc -randkey -kvno" from working in kadmin. krb5-1.16.4 changes by ticket ID -------------------------------- 8783 memory leak via krb5_rc_none_close 8801 Fix some return code handling bugs 8824 Initialize life/rlife in kdcpolicy interface 8825 Don't skip past zero byte in profile parsing 8840 Accept GSS mechs which don't supply attributes 8841 Fix t_otp.py for pyrad 2.2 8846 Fix SPNEGO fallback context handling 8848 kadmin.local: ank -kvno parameter doesnt work 8850 Fix gss_set_sec_context_option() context creation 8852 Various gssalloc fixes Major changes in 1.16.3 (2019-01-07) ------------------------------------ This is a bug fix release. * Fix a regression in the MEMORY credential cache type which could cause client programs to crash. * MEMORY credential caches will not be listed in the global collection, with the exception of the default credential cache if it is of type MEMORY. * Remove an incorrect assertion in the KDC which could be used to cause a crash [CVE-2018-20217]. krb5-1.16.3 changes by ticket ID -------------------------------- 8720 Don't include all MEMORY ccaches in collection 8767 Remove incorrect KDC assertion 8768 Fix double-close in ksu get_authorized_princ_names 8771 Memory ccache regression in 1.15.4, 1.16.2 Major changes in 1.16.2 (2018-11-01) ------------------------------------ This is a bug fix release. * Fix bugs with concurrent use of MEMORY ccache handles. * Fix a KDC crash when falling back between multiple OTP tokens configured for a principal entry. * Fix memory bugs when gss_add_cred() is used to create a new credential, and fix a bug where it ignores the desired_name. * Fix the behavior of gss_inquire_cred_by_mech() when the credential does not contain an element of the requested mechanism. * Make cross-realm S4U2Self requests work on the client when no default_realm is configured. * Add a kerberos(7) man page containing documentation of the environment variables that affect Kerberos programs. krb5-1.16.2 changes by ticket ID -------------------------------- 8202 memory ccache cursors are invalidated by initialize 8677 Escape curly braces in def-check.pl regexes 8684 Fix option parsing on Windows 8704 Resource leak in read_secret_file() 8708 Incorrect error handling in OTP plugin 8716 Remove outdated note in krb5kdc man page 8725 Update many documentation links to https 8727 Check strdup return in kadm5_get_config_params() 8728 doc: kswitch manual "see also" subsection typo 8729 Memory leak in gss_add_cred() creation case 8731 Document that DESTDIR must be an absolute path 8733 Multiple pkinit_identities semantics are unclear and perhaps not useful 8734 gss_add_cred() aliases memory when creating extended cred 8736 Check mech cred in gss_inquire_cred_by_mech() 8737 gss_add_cred() ignores desired_name if creating a new credential 8741 S4U2Self client code fails with no default realm 8743 Fix incorrect TRACE usages to use {str} 8751 Fix up kdb5_util documentation 8754 Correct kpasswd_server description in krb5.conf(5) 8755 Bring back general kerberos man page 8759 Resource leak in kadm5_randkey_principal_3() Major changes in 1.16.1 (2018-05-03) ------------------------------------ This is a bug fix release. * Fix flaws in LDAP DN checking, including a null dereference KDC crash which could be triggered by kadmin clients with administrative privileges [CVE-2018-5729, CVE-2018-5730]. * Fix a KDC PKINIT memory leak. * Fix a small KDC memory leak on transited or authdata errors when processing TGS requests. * Fix a regression in pkinit_cert_match matching of client certificates containing Microsoft UPN SANs. * Fix a null dereference when the KDC sends a large TGS reply. * Fix "kdestroy -A" with the KCM credential cache type. * Allow validation of Microsoft PACs containing enterprise names. * Fix the handling of capaths "." values. * Fix handling of repeated subsection specifications in profile files (such as when multiple included files specify relations in the same subsection). krb5-1.16.1 changes by ticket ID -------------------------------- 7863 profile library mishandles duplicate subsections 8622 Point to kerberos.org/dist 8639 Always set appdefault_get() output argument 8640 krb5 build 8643 Fix flaws in LDAP DN checking 8644 Fix memory leak in KDC PKINIT code 8645 Fix KDC encrypting key memory leak on some errors 8646 Fix capaths "." values on client 8649 Allow validation of PACs with enterprise names 8658 kdestroy -A fails with KCM ccache type 8660 Document comments in krb5.conf 8666 KDC null dereference when TGS reply is too big for UDP 8669 Fix doubled "kadmind:" in kadmind fail_to_start() 8670 Regression in rule-based matching of PKINIT client certs with UPN SANs 8675 Set error message on KCM get_princ failure Major changes in 1.16 (2017-12-05) ---------------------------------- Administrator experience: * The KDC can match PKINIT client certificates against the "pkinit_cert_match" string attribute on the client principal entry, using the same syntax as the existing "pkinit_cert_match" profile option. * The ktutil addent command supports the "-k 0" option to ignore the key version, and the "-s" option to use a non-default salt string. * kpropd supports a --pid-file option to write a pid file at startup, when it is run in standalone mode. * The "encrypted_challenge_indicator" realm option can be used to attach an authentication indicator to tickets obtained using FAST encrypted challenge pre-authentication. * Localization support can be disabled at build time with the --disable-nls configure option. Developer experience: * The kdcpolicy pluggable interface allows modules control whether tickets are issued by the KDC. * The kadm5_auth pluggable interface allows modules to control whether kadmind grants access to a kadmin request. * The certauth pluggable interface allows modules to control which PKINIT client certificates can authenticate to which client principals. * KDB modules can use the client and KDC interface IP addresses to determine whether to allow an AS request. * GSS applications can query the bit strength of a krb5 GSS context using the GSS_C_SEC_CONTEXT_SASL_SSF OID with gss_inquire_sec_context_by_oid(). * GSS applications can query the impersonator name of a krb5 GSS credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with gss_inquire_cred_by_oid(). * kdcpreauth modules can query the KDC for the canonicalized requested client principal name, or match a principal name against the requested client principal name with canonicalization. Protocol evolution: * The client library will continue to try pre-authentication mechanisms after most failure conditions. * The KDC will issue trivially renewable tickets (where the renewable lifetime is equal to or less than the ticket lifetime) if requested by the client, to be friendlier to scripts. * The client library will use a random nonce for TGS requests instead of the current system time. * For the RC4 string-to-key or PAC operations, UTF-16 is supported (previously only UCS-2 was supported). * When matching PKINIT client certificates, UPN SANs will be matched correctly as UPNs, with canonicalization. User experience: * Dates after the year 2038 are accepted (provided that the platform time facilities support them), through the year 2106. * Automatic credential cache selection based on the client realm will take into account the fallback realm and the service hostname. * Referral and alternate cross-realm TGTs will not be cached, avoiding some scenarios where they can be added to the credential cache multiple times. * A German translation has been added. Code quality: * The build is warning-clean under clang with the configured warning options. * The automated test suite runs cleanly under AddressSanitizer. krb5-1.16 changes by ticket ID ------------------------------ 3349 Allow keytab entries to ignore the key version 7647 let ktutil support non-default salts 7877 Interleaved init_creds operations use same per-request preauth context 8352 Year 2038 fixes 8515 Add German translation 8517 Add KRB5_TRACE calls for DNS lookups 8518 Remove redeclaration of ttyname() in ksu 8526 Constify service and hostname in krb5_mk_req() 8527 Clean up memory handling in krb5_fwd_tgt_creds() 8528 Improve PKINIT UPN SAN matching 8529 Add OpenLDAP LDIF file for Kerberos schema 8533 Bug in src/tests/responder.c 8534 Add configure option to disable nls support 8537 Preauthentication should continue after failure 8539 Preauth tryagain should copy KDC cookie 8544 Wrong PKCS11 PIN can trigger PKINIT draft9 code 8548 Add OID to inquire GSS cred impersonator name 8549 Use fallback realm for GSSAPI ccache selection 8558 kvno memory leak (1.15.1) 8561 Add certauth pluggable interface 8562 Add the certauth dbmatch module 8568 Convert some pkiDebug messages to TRACE macros 8569 Add support to query the SSF of a GSS context 8570 Add the client_name() kdcpreauth callback 8571 Use the canonical client principal name for OTP 8572 Un-deprecate krb5_auth_con_initivector() 8575 Add FAST encrypted challenge auth indicator 8577 Replace UCS-2 conversions with UTF-16 8578 Add various bound checks 8579 duplicate caching of some cross-realm TGTs 8582 Use a random nonce in TGS requests 8583 Pass client address to DAL audit_as_req 8592 Parse all kadm5.acl fields at startup 8595 Pluggable interface for kadmin authorization 8597 acx_pthread.m4 needs to be updated 8602 Make ccache name work for klist/kdestroy -A 8603 Remove incomplete PKINIT OCSP support 8606 Add KDC policy pluggable interface 8607 kpropd should write a pidfile when started in standalone mode... 8608 Fix AIX build issues 8609 Renewed tickets can be marked renewable with no renewable endtime 8610 Don't set ctime in KDC error replies 8612 Bump bundled libverto for 0.3.0 release 8613 Add hostname-based ccselect module 8615 Abort client preauth on keyboard interrupt 8616 Fix default enctype order in docs 8617 PKINIT matching can crash for certs with long issuer and subject 8620 Length check when parsing GSS token encapsulation 8621 Expose context errors in pkinit_server_plugin_init 8623 Update features list for 1.16 8624 Update config.guess, config.sub Acknowledgements ---------------- Past Sponsors of the MIT Kerberos Consortium: Apple Carnegie Mellon University Centrify Corporation Columbia University Cornell University The Department of Defense of the United States of America (DoD) Fidelity Investments Google Iowa State University MIT Michigan State University Microsoft MITRE Corporation Morgan-Stanley The National Aeronautics and Space Administration of the United States of America (NASA) Network Appliance (NetApp) Nippon Telephone and Telegraph (NTT) US Government Office of the National Coordinator for Health Information Technology (ONC) Oracle Pennsylvania State University Red Hat Stanford University TeamF1, Inc. The University of Alaska The University of Michigan The University of Pennsylvania Past and present members of the Kerberos Team at MIT: Danilo Almeida Jeffrey Altman Justin Anderson Richard Basch Mitch Berger Jay Berkenbilt Andrew Boardman Bill Bryant Steve Buckley Joe Calzaretta John Carr Mark Colan Don Davis Sarah Day Alexandra Ellwood Carlos Garay Dan Geer Nancy Gilman Matt Hancher Thomas Hardjono Sam Hartman Paul Hill Marc Horowitz Eva Jacobus Miroslav Jurisic Barry Jaspan Benjamin Kaduk Geoffrey King Kevin Koch John Kohl HaoQi Li Jonathan Lin Peter Litwack Scott McGuire Steve Miller Kevin Mitchell Cliff Neuman Paul Park Ezra Peisach Chris Provenzano Ken Raeburn Jon Rochlis Jeff Schiller Jen Selby Robert Silk Bill Sommerfeld Jennifer Steiner Ralph Swick Brad Thompson Harry Tsai Zhanna Tsitkova Ted Ts'o Marshall Vale Taylor Yu The following external contributors have provided code, patches, bug reports, suggestions, and valuable resources: Ian Abbott Brandon Allbery Russell Allbery Brian Almeida Michael B Allen Pooja Anil Heinz-Ado Arnolds Derek Atkins Mark Bannister David Bantz Alex Baule David Benjamin Thomas Bernard Adam Bernstein Arlene Berry Jeff Blaine Radoslav Bodo Sumit Bose Emmanuel Bouillon Isaac Boukris Philip Brown Samuel Cabrero Michael Calmer Andrea Campi Julien Chaffraix Ravi Channavajhala Srinivas Cheruku Leonardo Chiquitto Seemant Choudhary Howard Chu Andrea Cirulli Christopher D. Clausen Kevin Coffman Simon Cooper Sylvain Cortes Ian Crowther Arran Cudbard-Bell Jeff D'Angelo Nalin Dahyabhai Mark Davies Dennis Davis Alex Dehnert Mark Deneen Günther Deschner John Devitofranceschi Marc Dionne Roland Dowdeswell Dorian Ducournau Viktor Dukhovni Jason Edgecombe Mark Eichin Shawn M. Emery Douglas E. Engert Peter Eriksson Juha Erkkilä Gilles Espinasse Ronni Feldt Bill Fellows JC Ferguson Remi Ferrand Paul Fertser Fabiano Fidêncio William Fiveash Jacques Florent Ákos Frohner Sebastian Galiano Marcus Granado Scott Grizzard Helmut Grohne Steve Grubb Philip Guenther Dominic Hargreaves Robbie Harwood John Hascall Jakob Haufe Matthieu Hautreux Jochen Hein Paul B. Henson Jeff Hodges Christopher Hogan Love Hörnquist Åstrand Ken Hornstein Henry B. Hotz Luke Howard Jakub Hrozek Shumon Huque Jeffrey Hutzelman Wyllys Ingersoll Holger Isenberg Spencer Jackson Diogenes S. Jesus Pavel Jindra Brian Johannesmeyer Joel Johnson Lutz Justen Alexander Karaivanov Anders Kaseorg Bar Katz Zentaro Kavanagh Mubashir Kazia W. Trevor King Patrik Kis Martin Kittel Mikkel Kruse Reinhard Kugler Tomas Kuthan Pierre Labastie Andreas Ladanyi Chris Leick Volker Lendecke Jan iankko Lieskovsky Todd Lipcon Oliver Loch Chris Long Kevin Longfellow Frank Lonigro Jon Looney Nuno Lopes Ryan Lynch Roland Mainz Sorin Manolache Andrei Maslennikov Michael Mattioli Andreas Maus Nathaniel McCallum Greg McClement Cameron Meadors Alexey Melnikov Franklyn Mendez Markus Moeller Kyle Moffett Paul Moore Keiichi Mori Michael Morony Zbysek Mraz Edward Murrell Nikos Nikoleris Felipe Ortega Michael Osipov Andrej Ota Dmitri Pal Javier Palacios Tom Parker Ezra Peisach Zoran Pericic W. Michael Petullo Mark Phalan Sharwan Ram Brett Randall Jonathan Reams Jonathan Reed Robert Relyea Tony Reix Martin Rex Jason Rogers Matt Rogers Nate Rosenblum Solly Ross Mike Roszkowski Guillaume Rousse Joshua Schaeffer Andreas Schneider Tom Shaw Jim Shi Peter Shoults Richard Silverman Cel Skeggs Simo Sorce Michael Spang Michael Ströder Bjørn Tore Sund Joe Travaglini Tim Uglow Rathor Vipin Denis Vlasenko Jorgen Wahlsten Stef Walter Max (Weijun) Wang John Washington Stef Walter Xi Wang Nehal J Wani Kevin Wasserman Margaret Wasserman Marcus Watts Andreas Wiese Simon Wilkinson Nicolas Williams Ross Wilper Augustin Wolf David Woodhouse Tsu-Phong Wu Xu Qiang Neng Xue Zhaomo Yang Nickolai Zeldovich Bean Zhang Hanz van Zijst Gertjan Zwartjes The above is not an exhaustive list; many others have contributed in various ways to the MIT Kerberos development effort over the years. Other acknowledgments (for bug reports and patches) are in the doc/CHANGES file.