Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

historical git-svn mirror of MIT krb5 anonsvn repository

branch: tags/krb5-1-9-…

This branch is 34 commits ahead and 1049 commits behind master

Fetching latest commit…

Cannot retrieve the latest commit at this time

README
                   Kerberos Version 5, Release 1.9

                            Release Notes
                        The MIT Kerberos Team

Copyright and Other Notices
---------------------------

Copyright (C) 1985-2010 by the Massachusetts Institute of Technology
and its contributors.  All rights reserved.

Please see the file named NOTICE for additional notices.

Building and Installing Kerberos 5
----------------------------------

The first file you should look at is doc/install-guide.ps; it contains
the notes for building and installing Kerberos 5.  The info file
krb5-install.info has the same information in info file format.  You
can view this using the GNU emacs info-mode, or by using the
standalone info file viewer from the Free Software Foundation.  This
is also available as an HTML file, install.html.

Other good files to look at are admin-guide.ps and user-guide.ps,
which contain the system administrator's guide, and the user's guide,
respectively.  They are also available as info files
kerberos-admin.info and krb5-user.info, respectively.  These files are
also available as HTML files.

If you are attempting to build under Windows, please see the
src/windows/README file.

Reporting Bugs
--------------

Please report any problems/bugs/comments using the krb5-send-pr
program.  The krb5-send-pr program will be installed in the sbin
directory once you have successfully compiled and installed Kerberos
V5 (or if you have installed one of our binary distributions).

If you are not able to use krb5-send-pr because you haven't been able
compile and install Kerberos V5 on any platform, you may send mail to
krb5-bugs@mit.edu.

You may view bug reports by visiting

http://krbdev.mit.edu/rt/

and logging in as "guest" with password "guest".

DES transition
--------------

The Data Encryption Standard (DES) is widely recognized as weak.  The
krb5-1.7 release contains measures to encourage sites to migrate away
from using single-DES cryptosystems.  Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.

Major changes in 1.9
--------------------

Code quality:

* Python-based testing framework
* DAL cleanup

Developer experience:

* NSS crypto back end
* PRNG modularity
* Fortuna-like PRNG

Performance:

* Account lockout performance improvements

Administrator experience:

* Trace logging
* Plugin interface for password sync
* Plugin interface for password quality checks
* Configuration file validator
* KDC support for SecurID preauthentication

Protocol evolution:

* IAKERB
* Camellia encryption (experimental; disabled by default)

krb5-1.9 changes by ticket ID
-----------------------------

1219    mechanism to delete old keys should exist
2032    No advanced warning of password expiry
5014    kadmin (and other utilities) should report enctypes as it takes them
6647    Memory leak in kdc
6672    Python test framework
6679    Lazy history key creation
6684    Simple kinit verbosity patch
6686    IPv6 support for kprop and kpropd
6688    mit-krb5-1.7 fails to compile against openssl-1.0.0
6699    Validate and renew should work on non-TGT creds
6700    Introduce new krb5_tkt_creds API
6712    Add IAKERB mechanism and gss_acquire_cred_with_password
6714    [patch] fix format errors in krb5-1.8.1
6715    cksum_body exports
6719    Add lockout-related performance tuning variables
6720    Negative enctypes improperly read from keytabs
6723    Negative enctypes improperly read from ccaches
6733    Make signedpath authdata visible via GSS naming exts
6736    Add krb5_enctype_to_name() API
6737    Trace logging
6746    Make kadmin work over IPv6
6749    DAL improvements
6753    Fix XDR decoding of large values in xdr_u_int
6755    Add GIC option for password/account expiration callback
6758    Allow krb5_gss_register_acceptor_identity to unset keytab name
6760    Fail properly when profile can't be accessed
6761    add profile include support
6762    key expiration computed incorrectly in libkdb_ldap
6763    New plugin infrastructure
6765    Password quality pluggable interface
6769    clean up memory leak and potential unused variable in crypto tests
6771    Fix memory leaks in kdb5_verify
6772    Ensure valid key in krb5int_yarrow_cipher_encrypt_block
6774    pkinit client cert matching can be disrupted by one of the
        candidate certs
6775    pkinit <KU> evaluation during certificate matching may fail
6776    Typos in src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
6777    Segmentation fault in krb library (sn2princ.c) if realm not resolved
6778    kdb: store mkey list in context and permit NULL mkey for
        kdb_dbe_decrypt_key_data
6779    kinit: add KDB keytab support
6783    KDC worker processes feature
6784    relicense Sun RPC to 3-clause BSD-style
6785    Add gss_krb5_import_cred
6786    kpasswd: if a credential cache is present, use FAST
6787    S4U memory leak
6791    kadm5_hook: new plugin interface
6792    Implement k5login_directory and k5login_authoritative options
6793    acquire_init_cred leaks interned name
6795    Propagate modprinc -unlock from master to slave KDCs
6796    segfault due to uninitialized variable in S4U
6799    Performance issue in LDAP policy fetch
6801    Fix leaks in get_init_creds interface
6802    copyright notice updates
6804    Remove KDC replay cache
6805    securID code fixes
6806    securID error handling fix
6807    SecurID build support
6809    gss_krb5int_make_seal_token_v3_iov fails to set conf_state
6810    Better  libk5crypto NSS fork safety
6811    Mark Camellia-CCM code as experimental
6812    krb5_get_credentials should not fail due to inability to store
        a credential in a cache
6815    Failed kdb5_util load removes real database
6819    Handle referral realm in kprop client principal
6820    Read KDC profile settings in kpropd
6822    Implement Camellia-CTS-CMAC instead of Camellia-CCM
6823    getdate.y: declare yyparse
6824    Export krb5_tkt_creds_get
6825    Add missing KRB5_CALLCONV in callback declaration
6826    Fix Windows build
6827    SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others)
6828    Install kadm5_hook_plugin.h
6829    Implement restrict_anonymous_to_tgt realm flag

Acknowledgements
----------------

Past and present Sponsors of the MIT Kerberos Consortium:

    Apple
    Carnegie Mellon University
    Centrify Corporation
    Columbia University
    Cornell University
    The Department of Defense of the United States of America (DoD)
    Google
    Iowa State University
    MIT
    Michigan State University
    Microsoft
    The National Aeronautics and Space Administration
        of the United States of America (NASA)
    Network Appliance (NetApp)
    Nippon Telephone and Telegraph (NTT)
    Oracle
    Pennsylvania State University
    Red Hat
    Stanford University
    TeamF1, Inc.
    The University of Alaska
    The University of Michigan
    The University of Pennsylvania

Past and present members of the Kerberos Team at MIT:

    Danilo Almeida
    Jeffrey Altman
    Justin Anderson
    Richard Basch
    Mitch Berger
    Jay Berkenbilt
    Andrew Boardman
    Bill Bryant
    Steve Buckley
    Joe Calzaretta
    John Carr
    Mark Colan
    Don Davis
    Alexandra Ellwood
    Dan Geer
    Nancy Gilman
    Matt Hancher
    Thomas Hardjono
    Sam Hartman
    Paul Hill
    Marc Horowitz
    Eva Jacobus
    Miroslav Jurisic
    Barry Jaspan
    Geoffrey King
    Kevin Koch
    John Kohl
    HaoQi Li
    Peter Litwack
    Scott McGuire
    Steve Miller
    Kevin Mitchell
    Cliff Neuman
    Paul Park
    Ezra Peisach
    Chris Provenzano
    Ken Raeburn
    Jon Rochlis
    Jeff Schiller
    Jen Selby
    Robert Silk
    Bill Sommerfeld
    Jennifer Steiner
    Ralph Swick
    Brad Thompson
    Harry Tsai
    Zhanna Tsitkova
    Ted Ts'o
    Marshall Vale
    Tom Yu

The following external contributors have provided code, patches, bug
reports, suggestions, and valuable resources:

    Brandon Allbery
    Russell Allbery
    Brian Almeida
    Michael B Allen
    Derek Atkins
    David Bantz
    Alex Baule
    Arlene Berry
    Jeff Blaine
    Radoslav Bodo
    Emmanuel Bouillon
    Michael Calmer
    Ravi Channavajhala
    Srinivas Cheruku
    Leonardo Chiquitto
    Howard Chu
    Andrea Cirulli
    Christopher D. Clausen
    Kevin Coffman
    Simon Cooper
    Sylvain Cortes
    Nalin Dahyabhai
    Roland Dowdeswell
    Jason Edgecombe
    Mark Eichin
    Shawn M. Emery
    Douglas E. Engert
    Peter Eriksson
    Ronni Feldt
    Bill Fellows
    JC Ferguson
    William Fiveash
    Ákos Frohner
    Marcus Granado
    Scott Grizzard
    Steve Grubb
    Philip Guenther
    Dominic Hargreaves
    Jakob Haufe
    Jeff Hodges
    Love Hörnquist Åstrand
    Ken Hornstein
    Henry B. Hotz
    Luke Howard
    Jakub Hrozek
    Shumon Huque
    Jeffrey Hutzelman
    Wyllys Ingersoll
    Holger Isenberg
    Pavel Jindra
    Joel Johnson
    Mikkel Kruse
    Volker Lendecke
    Jan iankko Lieskovsky
    Ryan Lynch
    Franklyn Mendez
    Markus Moeller
    Paul Moore
    Zbysek Mraz
    Edward Murrell
    Nikos Nikoleris
    Dmitri Pal
    Javier Palacios
    Ezra Peisach
    W. Michael Petullo
    Mark Phalan
    Robert Relyea
    Martin Rex
    Jason Rogers
    Mike Roszkowski
    Guillaume Rousse
    Tom Shaw
    Peter Shoults
    Simo Sorce
    Michael Ströder
    Bjørn Tore Sund
    Rathor Vipin
    Jorgen Wahlsten
    Max (Weijun) Wang
    John Washington
    Marcus Watts
    Simon Wilkinson
    Nicolas Williams
    Ross Wilper
    Xu Qiang
    Hanz van Zijst

The above is not an exhaustive list; many others have contributed in
various ways to the MIT Kerberos development effort over the years.
Other acknowledgments (for bug reports and patches) are in the
doc/CHANGES file.
Something went wrong with that request. Please try again.